48 lines
1.2 KiB
Plaintext
48 lines
1.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields ``++SY-UNAME++`` and ``++SYST-UNAME++`` should not be compared to hardcoded strings. Use instead ``++AUTHORITY-CHECK++`` to check users' permissions.
|
|
|
|
|
|
This rule raises an issue when either of the system fields ``++SY-UNAME++`` or ``++SYST-UNAME++`` are compared to a hardcoded value in a ``++CASE++`` statement or using one of the following operators: ``++=++``, ``++EQ++``, ``++<>++``, ``++NE++``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,abap]
|
|
----
|
|
IF SY-UNAME = 'ALICE'. " Noncompliant
|
|
ENDIF.
|
|
|
|
CASE SY-UNAME.
|
|
WHEN 'A'. " Noncompliant
|
|
ENDCASE.
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,abap]
|
|
----
|
|
AUTHORITY-CHECK OBJECT 'S_CARRID'
|
|
ID 'CARRID' FIELD mycarrid.
|
|
IF sy-subrc <> 0.
|
|
MESSAGE 'Not authorized' TYPE 'E'.
|
|
ENDIF.
|
|
----
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|