rspec/rules/S5115/abap/rule.adoc

Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields ``++SY-UNAME++`` and ``++SYST-UNAME++`` should not be compared to hardcoded strings. Use instead ``++AUTHORITY-CHECK++`` to check users' permissions.


This rule raises an issue when either of the system fields ``++SY-UNAME++`` or ``++SYST-UNAME++`` are compared to a hardcoded value in a ``++CASE++`` statement or using one of the following operators: ``++=++``, ``++EQ++``, ``++<>++``, ``++NE++``.


== Noncompliant Code Example

----
IF SY-UNAME = 'ALICE'. " Noncompliant
ENDIF.

CASE SY-UNAME.
WHEN 'A'. " Noncompliant
ENDCASE.
----


== Compliant Solution

----
AUTHORITY-CHECK OBJECT 'S_CARRID' 
  ID 'CARRID' FIELD mycarrid.
IF sy-subrc <> 0. 
  MESSAGE 'Not authorized' TYPE 'E'. 
ENDIF. 
----


ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields ``++SY-UNAME++`` and ``++SYST-UNAME++`` should not be compared to hardcoded strings. Use instead ``++AUTHORITY-CHECK++`` to check users' permissions.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue when either of the system fields ``++SY-UNAME++`` or ``++SYST-UNAME++`` are compared to a hardcoded value in a ``++CASE++`` statement or using one of the following operators: ``++=++``, ``++EQ++``, ``++<>++``, ``++NE++``.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Noncompliant Code Example`

			`----`
			`IF SY-UNAME = 'ALICE'. " Noncompliant`
			`ENDIF.`

			`CASE SY-UNAME.`
			`WHEN 'A'. " Noncompliant`
			`ENDCASE.`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

			`----`
			`AUTHORITY-CHECK OBJECT 'S_CARRID'`
			`ID 'CARRID' FIELD mycarrid.`
			`IF sy-subrc <> 0.`
			`MESSAGE 'Not authorized' TYPE 'E'.`
			`ENDIF.`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`