25 lines
1017 B
Plaintext
25 lines
1017 B
Plaintext
|
Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields <code>SY-UNAME</code> and <code>SYST-UNAME</code> should not be compared to hardcoded strings. Use instead <code>AUTHORITY-CHECK</code> to check users' permissions.
|
||
|
|
|
||
|
|
This rule raises an issue when either of the system fields <code>SY-UNAME</code> or <code>SYST-UNAME</code> are compared to a hardcoded value in a <code>CASE</code> statement or using one of the following operators: <code>=</code>, <code>EQ</code>, <code><></code>, <code>NE</code>.
|
||
|
|
|
||
|
|
== Noncompliant Code Example
|
||
|
|
|
||
|
|
----
|
||
|
|
IF SY-UNAME = 'ALICE'. " Noncompliant
|
||
|
|
ENDIF.
|
||
|
|
|
||
|
|
CASE SY-UNAME.
|
||
|
|
WHEN 'A'. " Noncompliant
|
||
|
|
ENDCASE.
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
----
|
||
|
|
AUTHORITY-CHECK OBJECT 'S_CARRID'
|
||
|
|
ID 'CARRID' FIELD mycarrid.
|
||
|
|
IF sy-subrc <> 0.
|
||
|
|
MESSAGE 'Not authorized' TYPE 'E'.
|
||
|
|
ENDIF.
|
||
|
|
----
|