Dashboard Cross Tenant Check
Description
Environment
Activity
Norbert Bede August 8, 2022 at 8:24 PM
User from the system (0), with tenant role - logged into the tenant which access dashboard with dashboard preferences shared from system tenant. The user tried to open/close the dashboard preference icon.
the ad_role is not mandatory on dashboard preference and was null.
the dashboard (pa_dashboard) has no limitation to any role - free to access any role
hope helps to understand the use case.
norbert
Carlos Ruiz August 4, 2022 at 1:35 PM
So, question:
you made the role optional in dashboard preference?
or tenant users can use system roles?
Norbert Bede August 4, 2022 at 11:55 AM
hi.
we have customization based on PA_DashboardPreference can be in system “system dashboard”. this way we got cross-tenant error.
I thought this change not influence the core version, but improve for later usage. (eg. multi-dashboard, shared dashboards)
if not necessary we simple reject it.
n
Carlos Ruiz August 4, 2022 at 9:30 AM
Hi - maybe there is an error in your data?
How can this be reproduced?
From what I see the records in PA_DashboardPreference have AD_Role_ID mandatory and that’s tenant specific, so, from what I understand there, you cannot have a System role running on a tenant, therefore you cannot have a dashboard preference on System when running on a tenant. Am I missing something?
There is a potential cross tenant issue in DashboardController onEvent method (e.g. when collapsing/expanding dashlets)