LS9 ESS security and Servlet calls

 10 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
Lien
Basic Member
Posts: 6
Basic Member
    Hi, we are on LS9 and came across an issue where an ESS employee can view another employee’s personal information through a servlet call. The employee uses a debugging tool to get the URL then substitute their employee ID with someone else’s. We’ve tried to lock down all the HR, PA, PR, etc. related tables and forms with conditional rules. But we are still able to return sensitive data using the servlet call.

    Tried with this rule:
    if(user.getCompany()==table.COMPANY&&user.getEmployeeId()==form.EMP_EMPLOYEE)
    'A,M,D,'
    else
    'ALL_ACCESS,'

    Then tried with this rule:
    if(trim(table.EMPLOYEE)==user.getEmployeeId())
    'A,C, D, I,'
    else
    'NO_ACCESS,'

    The only form that seems to be working with the second rule is for PA67, no other forms or tables seem to be working. Has anyone experience this? Any help will be much appreciated.
    John Henley
    Posts: 3353
      Hi Lien. I'm assuming you have fired the (devious) employee using a debugging tool!
      I notice that you have mixed table.COMPANY and form.EMP_EMPLOYEE -- was that intentional?
      Thanks for using the LawsonGuru.com forums!
      John
      Lien
      Basic Member
      Posts: 6
      Basic Member
        Hi John, I actually got this from one of the postings and wanted to try it. At this point...I am lost :-(
        Jimmy Chiu
        Veteran Member
        Posts: 641
        Veteran Member
          Your first rule will give either "A,M,D" access or "ALL ACCESS", so it's no good.

          Try something like this under "files" / "HR" / "EMPLOYEE/PAEMPLOYEE" table

          if(user.getCompany()==lztrim(table.COMPANY)&&user.getEmployeeId()==lztrim(table.EMPLOYEE))
          'ALL_ACCESS'
          else
          'NO_ACCESS'



          Lien
          Basic Member
          Posts: 6
          Basic Member
            Hi Jimmy, I just tried it and I can still see the return data.
            Greg Moeller
            Veteran Member
            Posts: 1498
            Veteran Member
              From a command line, What is returned by lawsec ?
              Lien
              Basic Member
              Posts: 6
              Basic Member
                security is on: Lawson Security Is On.
                John Henley
                Posts: 3353
                  You probably have another class/role that is overruling this one. I'm assuming you aren't actually testing as that user, but rather as a test user assigned to the same roles. Easiest way to trouble shoot is to turn on debug for that test user and then look at lase logs, which will show which rule granted access.

                  Also, what is the specific servlet call that is used?=
                  Thanks for using the LawsonGuru.com forums!
                  John
                  Lien
                  Basic Member
                  Posts: 6
                  Basic Member
                    Yes, I am testing on DEV. Here is the servlet call

                    https://servername/servle...ET1&SELECT=EMPLOYEE=&OUT=XML%20HTTP/1.1
                    John Henley
                    Posts: 3353
                      You would need to add the rule that was added for EMPLOYEE/PAEMPLOYEE to apply to all tables you want to protect, including PRRATEHIST.

                      Thanks for using the LawsonGuru.com forums!
                      John
                      Lien
                      Basic Member
                      Posts: 6
                      Basic Member
                        Yes, I added the rule to all the forms that we wanted to protect and all tables like BENEFICRY, BENEFIT, EMPLOYEE, HRDEPBEN, PAEMPLOYEE, PRRATEHIST, TAEMPTRANS, etc. I will turn on the debug and see if I see anything.