webERP Forum
Process Recurring Orders - Security Issue - Printable Version

+- webERP Forum (http://www.weberp.org/forum)
+-- Forum: webERP Discussion (/forumdisplay.php?fid=1)
+--- Forum: Problems / Bugs? (/forumdisplay.php?fid=8)
+--- Thread: Process Recurring Orders - Security Issue (/showthread.php?tid=7941)



Process Recurring Orders - Security Issue - VortecCPI - 11-28-2017 11:17 AM

Main Menu > Sales > Process Recurring Orders

After execution the page leaves me without a proper header and credentials. I must log out to start again.

[attachment=562]

[attachment=563]

It appears the code on line 5 in RecurringSalesOrderProcess.php may be the cause because if I comment it out the page works as expected:

Line 5: //$AllowAnyone = true;

I see $AllowAnyone = true; is used in 13 other places in webERP and it appears it is related to background CRON jobs.

We will have recurring orders so this slick feature could be very useful to us. I would really like to know the best way to proceed with resolution of this issue.

Any help or thoughts are greatly appreciated!


RE: Process Recurring Orders - Security Issue - TurboPT - 11-28-2017 01:54 PM

At one point Tim [I believe] had mentioned the desire/need to eliminate the $AllowAnyone, but I don't recall the specifics at the moment. It was primarily the security aspect if I recall correctly, but there might be other reasons.

I'll try to look back for details, but he might stop by before I find the info.

=====

I found some old discussion [2014] about the AllowAnyone here. [scroll down to post #8 is where it starts]


RE: Process Recurring Orders - Security Issue - VortecCPI - 11-28-2017 09:59 PM

Thank you for your insight into this issue.

I guess I have to ask how and why we have leftovers such as this in the code. I love OS products but it is things like this that make people move away from it.

I am I really the only one who will be using Recurring Orders and has this issue?

Not criticizing... Just asking...


RE: Process Recurring Orders - Security Issue - falkoner - 11-28-2017 11:35 PM

I always remove the $AllowAnyone flag from my customers implementations. To my mind anything that allows all security to be overridden is a _bad_ thing in an accounting application.

As I recall the 2014 thread Paul refers to arose from a Google hangout I had with Exson when he also brought up concerns about this. However as I remember it also meant Phil tried to stop me helping people on this forum so I wont get into it all again.

Tim


RE: Process Recurring Orders - Security Issue - VortecCPI - 11-29-2017 01:19 AM

Tim - Thank you for your input - Greatly appreciated!