We're updating the issue view to help you get more done.Learn more

Tenant REST APIs not properly restricting access

The tenant REST APIs are only using coarse-grained permissions to control access. Currently, this means that only tenant administrators can access many of the REST services even when users are marked with self-editing permissions. Also, tenant REST APIs should verify that the authenticated user is in the list of allowed users for a tenant before giving access to its data.

Status

Assignee

DerekA

Reporter

DerekA