Cc: @suiyangqiu @yaqi-lyu @calumjs @joshbermanssw
Hi Team!
🟥 Watch the video (1 min 5 sec)
Pain
The CRM reports appear to be publicly accessible without authentication (e.g., can be opened in an incognito/private browser session).
The report URLs are also predictable (e.g., /CRM/ plus date segments), which increases the risk of unauthorized discovery/enumeration.
This could expose sensitive information for internal projects that should not be public.
Acceptance Criteria
- Unauthenticated users cannot access any CRM report pages (direct URL access returns an auth challenge or access denied).
- Authenticated access uses SSW IdentityServer (or the app’s standard auth mechanism) and requires sign-in before viewing reports.
- Authorization rules ensure only permitted users/groups can view reports (not just “any logged-in user”) where applicable.
- The application prevents/mitigates URL enumeration (e.g., enforce authorization per report, consider non-guessable identifiers where relevant, and log/block suspicious access patterns).
- Attempted unauthenticated access is logged for audit/monitoring.
Screenshot
Thanks!
Cc: @suiyangqiu @yaqi-lyu @calumjs @joshbermanssw
Hi Team!
🟥 Watch the video (1 min 5 sec)
Pain
The CRM reports appear to be publicly accessible without authentication (e.g., can be opened in an incognito/private browser session).
The report URLs are also predictable (e.g.,
/CRM/plus date segments), which increases the risk of unauthorized discovery/enumeration.This could expose sensitive information for internal projects that should not be public.
Acceptance Criteria
Screenshot
Thanks!