-
Type:
Bug
-
Status: Closed
-
Priority:
Medium
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:Production
-
Module:BenAdmin - Security
-
Reported by:Harbinger
-
Item State:Production QA
[Secure Test] Request Details of Get URL for viewing Benefit Descriptions are having parameters as plain text and using same URL plan descriptions can be accessed across company.
Start Tamper Data plugin for viewing Request Details.
1. Login as Admin to Company 2.
2. Login as Employee to Company 1
3. Traverse Employee Self Serve mode to Enroll now plans like Medical,Dental,Vision etc.
4. Click on Benefit Description
5. Go to Tamper Data and check for the Request Details. Refer Screen Shots for details.
6. Copy the URL and paste it in the Admin user's session of company 2
7. Using same URL plan descriptions can be accessed across company.
Refer screenshots for details
| Field | Original Value | New Value |
|---|---|---|
| Status | Open [ 1 ] | In Development [ 10007 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Prasad Pise [ prasadp ] |
| Item State | Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) |
| Module | Parent values: BenAdmin(10100) | Parent values: BenAdmin(10100)Level 1 values: Security(10112) |
| Item State | Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) | Parent values: LB QA(10201)Level 1 values: LB Deployed(11600) |
| Issue Category | EBS [ 10350 ] | Harbinger [ 10700 ] |
| Attachment | EmployeeSSM-1.jpg [ 31232 ] | |
| Attachment | TamperedEmployeeSSM-2.jpg [ 31233 ] |
I have verified the bug fix on LB. Issue is not reproducible when I Copy+Paste the URL as it is generated when clicked on Benefit Description button.
However, If I remove the value of parameter "encryptedCompanyID" and hit Enter key then the plan details are still accessible across the company.
Please refer attached screenshot for step wise details.
Could you please confirm.
CC: SamirVijay Siddha
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Status | Local Testing [ 10200 ] | Reopen in Local [ 10018 ] |
| Assignee | Prasad Pise [ prasadp ] | Vijayendra Shinde [ ID10506 ] |
| Status | Reopen in Local [ 10018 ] | In Development [ 10007 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Prasad Pise [ prasadp ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Issue verified on LB after patch deployment. I tried by removing the value of parameter "encryptedCompanyID" and hit Enter key. No Plan details displayed.
User is asked to click on "Return to home page" button.
Thanks
-Prasad
| Item State | Parent values: LB QA(10201)Level 1 values: LB Deployed(11600) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Assignee | Prasad Pise [ prasadp ] | Vijayendra Shinde [ ID10506 ] |
Hi Prasad Pise,
Please assign this ticket to Rakesh Roy for functional testing after your testing.
Thanks,
Vijayendra
CC: Samir, Vijay Siddha, Rakesh Roy
| Assignee | Vijayendra Shinde [ ID10506 ] | Prasad Pise [ prasadp ] |
Khandu Kshirsagar (Inactive)
made changes -
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Status | Local Testing [ 10200 ] | Stage Testing [ 10201 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: In Testing(10214) |
Issue verified on Stage after patch deployment. I tried by removing the value of parameter "encryptedCompanyID" and hit Enter key. No Plan details displayed.
User is asked to click on "Return to home page" button.
Thanks
- Prasad
| Assignee | Prasad Pise [ prasadp ] | Rakesh Roy [ rakeshr ] |
As mentioned above, assigned ticket to Rakesh Roy for functional testing.
| Assignee | Rakesh Roy [ rakeshr ] | Priya Dhamande [ priya.dhamande ] |
Environment: Stage
Company: ASML for Hspl
The patch is tested for Benefit description functionality on Stage.
Steps:
1. Benefit Description Added for Medical and Dental plans.
2. Benefit Type > Marked the check box for Benefit description drop down.
3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save
4., Employee Login > Enroll Now Page > Medical Plan must have Benefit description
5. Benefit Description Button > Benefit Description popup > Doc should open
As the link appears for fraction of sec. so not able to copy the link and check with other company Admin.
For the functionality of Benefit Description functionality it is working as expected. So, moving the jira on further step.
Prasad Pise: Assigning the jira to you for Production security testing.
| Item State | Parent values: Stage QA(10202)Level 1 values: In Testing(10214) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Assignee | Priya Dhamande [ priya.dhamande ] | Prasad Pise [ prasadp ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
| Status | Stage Testing [ 10201 ] | Production Testing [ 10202 ] |
Hi Vijayendra Shinde
Security Testing completed on Production for this issue.
Thanks
-Prasad
CC : SamirVijay SiddhaRakesh Roy
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Assignee | Prasad Pise [ prasadp ] | Rakesh Roy [ rakeshr ] |
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production QA(10203)Level 1 values: In Testing(10218) |
Environment: Production
Company: El Camino Hospital For HSPL
Login: Employee and Partner
The patch is tested for Benefit description functionality on Production.
Steps:
1. Benefit Description Added for Medical plans.
2. Benefit Type > Marked the check box for Benefit Description drop down.
3. Add/Change Plan Design > Employees must view Benefit Description dropdown > Yes > Save
4. Employee Login > Enroll Now Page > Medical Plan must have Benefit Description OR
Partner login> Serach Employee > Benefits > Enroll now > Benefit Description
5. Benefit Description Button > Benefit Description popup > Doc opens
As mentioned during Stage Testing, the link appears for fraction of sec. so not able to copy the link and check with other company Admin.
For the functionality of Benefit Description functionality it is working as expected on production. So, closing the jira on production.
| Item State | Parent values: Production QA(10203)Level 1 values: In Testing(10218) | Parent values: Production QA(10203) |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
| Environment_New | Production [ 18442 ] |
| Link | This issue relates to DEV-13718 [ DEV-13718 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
7d 18h 13m | 1 |
|
8s | 1 |
|
10h 17m | 1 |
|
5d 18h 26m | 2 |
|
1d 22h 59m | 1 |
|
2d 17m | 1 |
|
21m 15s | 1 |
|
1h 17m | 1 |
Hi Prasad Pise,
Code has been checked in into LB branch. You can test this patch after LB deployment.
Thanks,
Vijayendra
CC: Samir, Vijay Siddha