In researching the OOO Add-in, I discovered that users other than the logged-in user can access that user's OOO page to set their status as OOO. Is this the expected behavior? Or is it only available to users who are setup as K2 Admins? It seems like this could potentially be a security risk.
Also, on the download page, it says "K2.net® 2003 Out Of Office Service with SP3 (v3.6090.1.0)". It is not clear whether it is the sp3 of Out Of Office, or K2 SP3? What version of the OOO add-in is this? It would help if we knew which specific version of the add-in is posted so we know when/if we need to upgrade to a new service pack.
Thanks for your help.
+8
Hi K2Moto,
If user A is defined as the manager of user B in active directory user A will be able to set the Out Of Office settings for user B and this is the expected behavior.
As to the Version information I recommend that you check out the compatibility matrix available at the top of the downloads page: http://portal.k2workflow.com/help/k2.net 2003/K22003matrix_popup.aspx
Out Of Office SP3 is the version of the Out Of Office component that is compatible with K2 SP3.
I hope this helps.
-Eric
If user A is defined as the manager of user B in active directory user A will be able to set the Out Of Office settings for user B and this is the expected behavior.
As to the Version information I recommend that you check out the compatibility matrix available at the top of the downloads page: http://portal.k2workflow.com/help/k2.net 2003/K22003matrix_popup.aspx
Out Of Office SP3 is the version of the Out Of Office component that is compatible with K2 SP3.
I hope this helps.
-Eric
+1
Hi Eric,
Thanks for the compatibility matrix link. That's exactly what I needed.
As far as the Out of Office page goes, I can navigate directly to the OOO url, change the username in the querystring, and change any user's OOO status. This occurs regardless of the user's manager relationship. For instance, I am at the same level as another user, reporting to the same manager, and I can modify his OOO status. In addition, I can modify my own manager's OOO status and my manager's manager's status. Make sense? I'm guessing this is unexpected behavior, or is a security hole that was unintentional.
-Matt
Thanks for the compatibility matrix link. That's exactly what I needed.
As far as the Out of Office page goes, I can navigate directly to the OOO url, change the username in the querystring, and change any user's OOO status. This occurs regardless of the user's manager relationship. For instance, I am at the same level as another user, reporting to the same manager, and I can modify his OOO status. In addition, I can modify my own manager's OOO status and my manager's manager's status. Make sense? I'm guessing this is unexpected behavior, or is a security hole that was unintentional.
-Matt
+8
Ahh..I see what you mean...That behavior is definately unintended. I have notified development team so hopefully that will be resolved soon.
Just to let you know you can also provide feeback like this directly to the development team using the link below:
http://portal.k2workflow.com/feedback/Default.aspx
-Eric
Just to let you know you can also provide feeback like this directly to the development team using the link below:
http://portal.k2workflow.com/feedback/Default.aspx
-Eric
+1
Thanks for the prompt response. I'll use the development submission for issues like this in the future.
-Matt
-Matt
+13
This security issue can be easily fixed by relying on the Session("UserName") and not the ID that is passed into querystring.
This will just restrict the manager from allowing to change another user's availability status.
I think that's a good trade off. The way it is now we can not deploy this functionality.
This will just restrict the manager from allowing to change another user's availability status.
I think that's a good trade off. The way it is now we can not deploy this functionality.
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.