[WT-9842] [Security]-[Authorization Failure] Employee & Company Admin can access the 'Dashboard Configuration' page over the URL. - Workterra Jira

Details

Type: Bug
Status: In Development
Priority: Medium
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Platform
Labels:
None

Environment:

Production, Stage, QA
Bug Type:
Functional
Bug Severity:
Medium
Level:

Admin, Employee
Module:
Platform - Security
Reported by:
Harbinger
Company:
All Clients/Multiple Clients
Item State:
Development - On Hold
Issue Importance:
Q2
Browser:

Google Chrome
Sprint:
WT Sprint 33-Bugs

Description

[Security]-[Authorization Failure] Employee & Company Admin can access the 'Dashboard Configuration' page over the URL.

Replication Steps:
1. Login as Partner in workterra
2. Go to Company Dashboard page.
3. Copy the URL.
4. Login as Employee or Company Admin in other browser
5. Paste the URL for Employee or Company Admin to access.

Actual result:
Employee & Company Admin can access the Dashboard Configuration Settings page and can update the Employee level settings

Expected Result:
If the access is allowed then, "Dashboard Configuration" should be listed in Menu Items for Company Admin and Employee
It the access not allowed then "Unauthorized Access" page should be displayed.

Issue tested on Azure and Stage.

CC : Rakesh Roy Samir

Attachments

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Aditya Vishwakarma (Inactive) added a comment - 05/Jul/17 07:30 AM - edited

This is due to design.
This will be restructured in UI Refresh.

Jaideep Vinchurkar

Show

Aditya Vishwakarma (Inactive) added a comment - 05/Jul/17 07:30 AM - edited This is due to design. This will be restructured in UI Refresh. Jaideep Vinchurkar

Hide

Permalink

Prasad Pise (Inactive) added a comment - 05/Jul/17 08:43 AM

CC : Satya Vijayendra Shinde Rakesh Roy shyam sharma Bharti Satpute Samir

These kind of issue are present on Azure-UI Refresh environment too.
Please confirm.

Show

Prasad Pise (Inactive) added a comment - 05/Jul/17 08:43 AM CC : Satya Vijayendra Shinde Rakesh Roy shyam sharma Bharti Satpute Samir These kind of issue are present on Azure-UI Refresh environment too. Please confirm.

Hide

Permalink

Jaideep Vinchurkar (Inactive) added a comment - 05/Jul/17 11:22 AM

Yes there are such issues on UI refresh. But the menu structure is complete different on UI refresh so there should be a task to upgrade / change access policy.

Show

Jaideep Vinchurkar (Inactive) added a comment - 05/Jul/17 11:22 AM Yes there are such issues on UI refresh. But the menu structure is complete different on UI refresh so there should be a task to upgrade / change access policy.

Hide

Permalink

Jaideep Vinchurkar (Inactive) added a comment - 05/Jul/17 11:39 AM

Sorry, I take my words back. Company admin should not have access to global level menus.
Aditya Vishwakarma, please remove page level access of compay admin for dashboard configuration page.

Show

Jaideep Vinchurkar (Inactive) added a comment - 05/Jul/17 11:39 AM Sorry, I take my words back. Company admin should not have access to global level menus. Aditya Vishwakarma , please remove page level access of compay admin for dashboard configuration page.

Hide

Permalink

Aditya Vishwakarma (Inactive) added a comment - 07/Jul/17 05:55 AM

Marking it as on hold due to ~~WT-9613~~

Show

Aditya Vishwakarma (Inactive) added a comment - 07/Jul/17 05:55 AM Marking it as on hold due to WT-9613

Hide

Permalink

Prasad Pise (Inactive) added a comment - 04/Mar/18 01:06 PM

Hi Vijayendra Shinde

I have verified Over the URL access for Admin User for "Company Module Mapping" tab. It is fixed now. Admin gets the "Unauthorized Access" page when try to access " Company Module Mapping" tab.

However, following are Global Settings menu which are accessible to Admin user over the URL.

Clone Company - Access Allowed & Page displayed.
Manage Partner/Broker Users - Server Error Pop-up gets displayed
User Credential Settings - Access Allowed & page displayed.

Expected output is, Unauthorized Access page should get displayed.

Show

Prasad Pise (Inactive) added a comment - 04/Mar/18 01:06 PM Hi Vijayendra Shinde I have verified Over the URL access for Admin User for "Company Module Mapping" tab. It is fixed now. Admin gets the "Unauthorized Access" page when try to access " Company Module Mapping" tab. However, following are Global Settings menu which are accessible to Admin user over the URL. Clone Company - Access Allowed & Page displayed. Manage Partner/Broker Users - Server Error Pop-up gets displayed User Credential Settings - Access Allowed & page displayed. Expected output is, Unauthorized Access page should get displayed.

People

Assignee:: Vijayendra Shinde (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Jun/17 01:08 PM

Updated:: 15/Dec/20 02:53 AM

Resolved:: 05/Jul/17 11:46 AM

Dev Due Date:: 26/Jul/2017

Time Tracking

Estimated:

Remaining:

Logged:

49h