Securing Tenant Selection At Server Side

When you log in with tenant2 user and open its edit form, Tenant selection dropdown is not displayed, so he can’t change his tenant right?

Wrong!

If he is an ordinary user, he can’t. But if he has some knowledge of how Serenity and its services work, he could.

When you are working with web, you got to take security much more seriously.

It’s very easy to create security holes in web applications unless you handle validations both at client side and server side.

Let’s demonstrate it. Open Chrome console, while logged in with user tenant2.

Copy and paste this into console:

  1. Q.serviceCall({
  2. service: 'Administration/User/Update',
  3. request: {
  4. EntityId: 2,
  5. Entity: {
  6. UserId: 2,
  7. TenantId: 1
  8. }
  9. }
  10. });

Now refresh the user management page, you’ll see that tenant2 can see admin user now!

We called User Update service with javascript, and changed tenant2 user TenaNntId to 1 (Primary Tenant).

Let’s revert it back to Second Tenant (2) first, then we’ll fix this security hole:

  1. Q.serviceCall({
  2. service: 'Administration/User/Update',
  3. request: {
  4. EntityId: 2,
  5. Entity: {
  6. UserId: 2,
  7. TenantId: 2
  8. }
  9. }
  10. });

Luckily, Serenity provides field level permissions. Edit UserRow.cs to let only users with Administration:Tenants permission to see and edit tenant information.

  1. [LookupEditor(typeof(TenantRow))]
  2. [ReadPermission(PermissionKeys.Tenants)]
  3. public Int32? TenantId
  4. {
  5. get { return Fields.TenantId[this]; }
  6. set { Fields.TenantId[this] = value; }
  7. }

Now only admin can see and update tenant field for users.

We didn’t have to also set ModifyPermission as if a user doesn’t have the read permission, he doesn’t have the write permission by default.

Build your project, then try typing this into console again:

  1. Q.serviceCall({
  2. service: 'Administration/User/Update',
  3. request: {
  4. EntityId: 2,
  5. Entity: {
  6. UserId: 2,
  7. TenantId: 1
  8. }
  9. }
  10. });

You will now get this error:

  1. Tenant field is read only!