Dashboard Cross Tenant Check

Description

There is a potential cross tenant issue in DashboardController onEvent method (e.g. when collapsing/expanding dashlets)

Environment

None

Activity

Show:

Norbert Bede August 8, 2022 at 8:24 PM

User from the system (0), with tenant role - logged into the tenant which access dashboard with dashboard preferences shared from system tenant. The user tried to open/close the dashboard preference icon.

  • the ad_role is not mandatory on dashboard preference and was null.

  • the dashboard (pa_dashboard) has no limitation to any role - free to access any role

hope helps to understand the use case.

norbert

Carlos Ruiz August 4, 2022 at 1:35 PM

So, question:

  • you made the role optional in dashboard preference?

  • or tenant users can use system roles?

Norbert Bede August 4, 2022 at 11:55 AM

hi.

we have customization based on PA_DashboardPreference can be in system “system dashboard”. this way we got cross-tenant error.

I thought this change not influence the core version, but improve for later usage. (eg. multi-dashboard, shared dashboards)

if not necessary we simple reject it.

n

Carlos Ruiz August 4, 2022 at 9:30 AM

Hi - maybe there is an error in your data?

How can this be reproduced?

From what I see the records in PA_DashboardPreference have AD_Role_ID mandatory and that’s tenant specific, so, from what I understand there, you cannot have a System role running on a tenant, therefore you cannot have a dashboard preference on System when running on a tenant. Am I missing something?

Fixed

Details

Assignee

Reporter

Fix versions

Priority

Created August 4, 2022 at 8:41 AM
Updated October 1, 2022 at 7:25 AM
Resolved August 19, 2022 at 10:01 AM