Preventing Edits To Users From Other Tenants

    Similar to this, even if he can’t see users from other tenants by default, he can actually retrieve and update them.

    Time to hack again.

    Open Chrome console and type this:

    What? He could open user dialog for admin and update it!

    We created a new instance of it, and asked to load a user entity by its ID. Admin user has an ID of 1.

    So, to load the entity with ID 1, dialog called Retrieve service of UserRepository.

    Remember that we did filtering in List method of UserRepository, not Retrieve. So, service has no idea, if it should return this record from another tenant, or not.

    It’s time to secure retrieve service in UserRepository:

    2. {
    3.     protected override void PrepareQuery(SqlQuery query)
    4.     {
    5.         base.PrepareQuery(query);
    7.         var user = (UserDefinition)Authorization.UserDefinition;
    8.         if (!Authorization.HasPermission(PermissionKeys.Tenants))
    9.             query.Where(fld.TenantId == user.TenantId);
    10.     }
    11. }

    If you try same Javascript code now, you’ll get an error:

    But, we could still update record calling Update service manually. So, need to secure MySaveHandler too.

    Change its ValidateRequest method like this:

    1. protected override void ValidateRequest()
    2. {
    4.     if (IsUpdate)
    5.     {
    6.         var user = (UserDefinition)Authorization.UserDefinition;
    7.         if (Old.TenantId != user.TenantId)
    8.             Authorization.ValidatePermission(PermissionKeys.Tenants);
    10.         // ...

    Here we check if it’s an update, and if TenantId of record being updated (Old.TenantId) is different than currently logged user’s TenantId. If so, we call Authorization.ValidatePermission method to ensure that user has tenant administration permission. It will raise an error if not.

    Using similar methods, we need to secure them too:

    1. private class MyDeleteHandler : DeleteRequestHandler<MyRow>
    2. {
    3.     protected override void ValidateRequest()
    4.     {
    5.         base.ValidateRequest();
    8.             Authorization.ValidatePermission(PermissionKeys.Tenants);
    9.     }
    10. }
    12. private class MyUndeleteHandler : UndeleteRequestHandler<MyRow>
    13. {
    14.     protected override void ValidateRequest()
    15.     {
    16.         base.ValidateRequest();
    18.         var user = (UserDefinition)Authorization.UserDefinition;
    19.         if (Row.TenantId != user.TenantId)
    20.             Authorization.ValidatePermission(PermissionKeys.Tenants);