Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 304 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
NAV 2016 Web client URL - Changing Company Name in url ignores NAV security
kar100
Member Posts: 11
We have installed and configured NAV 2016 web client. Works fine.
However, it appears to be possible to simply change the company name element of the url and this by-passes NAV security.
Example:
Two NAV companies, Company A and Company B
User only has access to Company A as per NAV security permissions
URL for web client is https://xxxxxxx/yyy/WebClient/?company=Company A but if user changes url to https://xxxxxxx/DEV/WebClient/?company=Company B then then can access Company B, overriding security.
If they try to change company via 'My Settings' they (correctly) get an error.
However, it appears to be possible to simply change the company name element of the url and this by-passes NAV security.
Example:
Two NAV companies, Company A and Company B
User only has access to Company A as per NAV security permissions
URL for web client is https://xxxxxxx/yyy/WebClient/?company=Company A but if user changes url to https://xxxxxxx/DEV/WebClient/?company=Company B then then can access Company B, overriding security.
If they try to change company via 'My Settings' they (correctly) get an error.
0