Portal User can login to Other Portals

Posted by alank@daitangroup.com on 01-Sep-2017 09:30


So say I have Portal A that gives access to Portal User Object A, and similarly with Portal B.

Now, if I try to Login to Portal B using Object A credentials, it won't work - as expected.

However, if I have both portal links available to the users, a user from Portal A can login to Portal A, and without loging out, click the link to Portal B, without losing his authentication. So this means that a Portal A user can go around Portal B freely, which is highly undesirable for us.

I have tried blocking out User A's visibility by limiting the views set on Portal B and vice-versa, but some views and permissions are open to all Portal Users, so there's no way to limit this. 

It seems like the Portals should not behave this way, and might potentially be of security risk for us.

Is there anything we can do to stop this?

All Replies

Posted by Srinivas Panyala on 09-Oct-2017 00:42

Currently, Rollbase doesn't support this. Please post this in ideas section community.progress.com/.../rollbase



Posted by mpiscoso@gmail.com on 09-Oct-2017 17:47

As a workaround, you can probably check which object the current portal user belongs to and if you're in Portal A and you detect that the User is only supposed to have access to Portal B then you can do a redirect using window.location.href over to a generic page that states that he/she does not have access to Portal B and then potentially provide a link back to Portal A.

I can't provide an example right now but thinking this through your code needs to be in your portal's header/footer so that it runs every page load. I'm not sure if a token for a Portal User's object is available yet. If not, you may simply use a field that you know belongs to Portal User A and not Portal User B to be able to differentiate the two. You have to test what value it returns in both scenarios that the field exists or not and then determine whether you'll be redirecting the user to the permission error page or otherwise.

Hope this helps.

Piscoso, Martin

Feel free to contact me.

This thread is closed