Security Sync Apps Flaw when using LDAP (per user per app security)

Hi All,

In case this helps anyone. I have resolved this myself after discovering a flaw as I needed a solution now. I will also report this to scriptcase.

Consider the following natural steps you would expect to work (but doesn’t),

  1. Sync users (to populate application database with all users)
  2. Sync apps (this adds all new applications to the apps table, then inserts a new record into the users apps table)
  3. More users added, resync users
  4. Create more apps
  5. Sync Apps - inserts into users apps table for only new apps. But ignores any previous apps already identified in the apps database table

The problem with the module is it reads all apps from the filesystem, it then reads all apps from the database. It creates an array of remaining apps (filessytem apps minus database apps). These apps in the array are then used to create new user/app entries. This means previous apps will not be assigned to new users.

There are 3 options to fix this.

  1. delete all entries from the sec_apps table and sec_users_apps leaving at least an administrator!! Resync everything again! this is not a good solution at all!

  2. manually add new members to the sec_users_apps table with the following SQL Query

     	$insertSQL = "INSERT INTO dbo.sec_users_apps(app_name, login) ".
     		         "SELECT '$app','$usr' WHERE not exists ".
     		         "(SELECT * FROM sec_users_apps where login ='$usr' and app_name = '$app');";
     	sc_exec_sql($insertSQL); 
    
  3. Change the module itself which is what I have done. It’s not robust but it works.

Comment out the line that does the difference.

//$arr_apps = array_diff($arr_apps, $arr_apps_db);

At the end of the module,

Iterate through each app and each user and run the query in 2.

It’s slow but at least new users gain access to your app!

I will report this to scriptcase, but as I have a solution myself I won’t be pushing it through too hard.

I hope this helps someone else who may not realize there is a problem.

ta
Arthur

2 Likes

Hi,
Thanks sharing that ! Helpful.
Hope that SC Team will work on this module to deliver a real and reliable security module in a near feature.
Having group structure available would be nice as well.