Uploaded image for project: 'SiteWhere'
  1. SITEWHERE-269

Tenant REST APIs not properly restricting access

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.0
    • Component/s: Core
    • Labels:
      None

      Description

      The tenant REST APIs are only using coarse-grained permissions to control access. Currently, this means that only tenant administrators can access many of the REST services even when users are marked with self-editing permissions. Also, tenant REST APIs should verify that the authenticated user is in the list of allowed users for a tenant before giving access to its data.

        Attachments

          Activity

            People

            • Assignee:
              dadams Derek Adams [Administrator]
              Reporter:
              dadams Derek Adams [Administrator]
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: