Kbase P132256: 4GL/ABL: BUFFER-COPY statement does not respect table level permissions.
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
11/17/2008 |
|
Status: Unverified
SYMPTOM(s):
4GL/ABL: BUFFER-COPY statement does not respect table level permissions.
BUFFER-COPY statement ignores table-level CREATE, WRITE, DELETE and LOAD security restrictions.
The BUFFER-COPY statement allows a user whose table CREATE, WRITE, DELETE and LOAD permissions are revoked to modify the table data using a buffer.
A user jack has whose table-level CREATE, WRITE, DELETE and LOAD permissions have been revoked is able to write to the table using the BUFFER-COPY statement.
The Item table-level CREATE, WRITE, DELETE and LOAD permissions are set as follows:
_Can-Create = "!jack,*"
_Can-Write = "!jack,*"
_Can-Delete = "!jack,*"
_Can-Load = "!jack,*"
Despite the above table-level restrictions, user jack is can execute the following code and write to the Item table:
DEFINE BUFFER bItem FOR Item.
FIND FIRST bItem NO-LOCK NO-ERROR.
FOR EACH ITEM WHERE itemnum > 1:
BUFFER-COPY bItem EXCEPT itemnum TO ITEM.
END.
FACT(s) (Environment):
All Supported Operating Systems
Progress 9.1x
OpenEdge 10.x
CAUSE:
Bug# OE00170077
FIX:
Upgrade to OpenEdge 10.2A or later. If upgrading to OpenEdge 10.2A or later is not feasible, then a workaround is to set the field level WRITE permissions for the user. For example, running the following code prevents user jack from successfully running the above code that writes to the Item table. This will be effective regardless of what the table-level security permissions are set to for that user:
FIND _File WHERE _file-Name = "Item" NO-LOCK NO-ERROR.
FOR EACH _field OF _file:
ASSIGN
_field._can-Write = "!jack,*".
END.