multi-tenant-app-demo icon indicating copy to clipboard operation
multi-tenant-app-demo copied to clipboard

Published 20 hours ago verified publisher icon ramsrib

Potential bug in the EmptyInterceptor

Open eepstein opened this issue 7 years ago • 2 comments

I know this is a demo, but in case someone follows it too literally, there's a likely issue that would occur with that kind of an Interceptor. Given that the tenantId is not the PK for most entities, this approach would (risk) assigning other tenant's entities to the ownership of the calling tenant.

eepstein avatar Jul 12 '17 06:07 eepstein

Thanks for the comment. Yeah, it doesn't have any verification/validation logic for tenant id.

It would be helpful if you share how this can be improved.

ramsrib avatar Jul 12 '17 19:07 ramsrib

Well, one way is to:

a) allow the logic as-is for Create - just assign the tenantId as is being done; b) check the tenantId for Update and Delete operations and for those, if the ID on the entity doesn’t match the ID in use (via the ThreadLocal), then throw a cross-tenant-violation exception.

On Jul 12, 2017, at 12:04 PM, Sriram [email protected] wrote:

Thanks for the comment. Yeah, it doesn't have any verification/validation logic for tenant id.

It would be helpful if you share how this can be improved.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ramsrib/multi-tenant-app-demo/issues/1#issuecomment-314866297, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQ5Q_PNSOxAUJ0rTLWq-Dg67CdnzDVqks5sNRijgaJpZM4OVLj2.

eepstein avatar Jul 12 '17 19:07 eepstein