NAV 2016 Web client URL - Changing Company Name in url ignores NAV security

kar100kar100 Member Posts: 11
edited 2016-04-28 in NAV Three Tier
We have installed and configured NAV 2016 web client. Works fine.
However, it appears to be possible to simply change the company name element of the url and this by-passes NAV security.
Example:
Two NAV companies, Company A and Company B
User only has access to Company A as per NAV security permissions
URL for web client is https://xxxxxxx/yyy/WebClient/?company=Company A but if user changes url to https://xxxxxxx/DEV/WebClient/?company=Company B then then can access Company B, overriding security.
If they try to change company via 'My Settings' they (correctly) get an error.
Sign In or Register to comment.