User Security

Not applicable

Our security team have found that by parameter tampering any developer can get access to any other developers apps (and secrets) and even delete their apps !!!

Go from https://my-portal.com/user/me/apps to https://my-portal.com/user/{someuserid}/apps and you then have unfettered access.

Is this a known issue ?

0 1 167
1 REPLY 1

Not applicable

Quick update on this. The default app_developer role had administer application privileges which let it access anyone's apps. I'm not sure if this is out of the box or we did at some point. if you scale the privileges back to CRUD only then the devs can only access their own apps.