Release 3.1Security

Unauthorised Portal Access

User accessed Ordering Portal without authorisation due to session enforcement gaps

Finding

A Royston user (Lee) was able to place orders through the Ordering Portal despite her company not having Ordering Portal access enabled.

Severity: Critical

How It Happened

The Ordering Portal access toggle was enforced only at specific checkpoints
Active sessions from before the toggle was disabled remained valid
Users could continue using the portal until the next enforcement point
Additionally, email notification links directed Royston users to the Ordering Portal regardless of their company's access setting

Impact

Unauthorised FTS assessment was populated through the ordering system
Potential for incorrect orders to enter the production workflow
Client confusion about which portal to use

Resolution

Jayrex implemented consistent enforcement across three checkpoints:

Login validation
Ordering API authorisation
Active-session checks

Users from companies without access now see an access restriction immediately on sign-in, and existing sessions are terminated.

See Access Hardening for implementation details.

Credential Exposure in Slack

Plaintext login credentials shared in team communication channel

Access Control Hardening

Measures implemented to enforce portal access consistently

On this page

Finding How It Happened Impact Resolution