Securing Tenant Selection At Server Side

Wrong!

If he is an ordinary user, he can’t. But if he has some knowledge of how Serenity and its services work, he could.

When you are working with web, you got to take security much more seriously.

It’s very easy to create security holes in web applications unless you handle validations both at client side and server side.

Copy and paste this into console:

Now refresh the user management page, you’ll see that tenant2 can see admin user now!

We called User Update service with javascript, and changed tenant2 user TenaNntId to 1 (Primary Tenant).

Let’s revert it back to Second Tenant (2) first, then we’ll fix this security hole:

Now only admin can see and update tenant field for users.

Build your project, then try typing this into console again:

You will now get this error: