First to Site
Release 3.1Security

Access Control Hardening

Measures implemented to enforce portal access consistently

Changes Implemented

1. Login Validation

Portal access is now checked at the point of authentication. Users belonging to companies without Ordering Portal access are blocked before entering the portal.

2. API Authorisation

Every Ordering API call now validates the requesting user's company access level. Previously, API-level checks were not consistently applied.

3. Active Session Enforcement

Users who are already signed in will no longer be able to continue using the Ordering Portal if their company's access is subsequently disabled. Sessions are invalidated retroactively.

4. Dynamic Notification Routing

Email notification links now route users to the correct portal based on their company's access:

  • Ordering Portal access enabled → Link to ordering.ftsonline.com.au
  • No Ordering Portal access → Link to platform.ftsonline.com.au/customer

Architectural Note

Villar identified that notification routing should be centralised:

"Notification links need to be centralised to a point that deciphers where they are redirected to." This suggests a future improvement to create a single redirect endpoint that determines the correct portal at runtime, rather than embedding portal-specific URLs in email templates.

Unauthorised Portal Access

User accessed Ordering Portal without authorisation due to session enforcement gaps

v3.0 - Ordering Portal Launch

Release v3.0 - The FTS Ordering Portal: a net-new customer-facing platform for placing and managing orders across 10 service types

On this page

Changes Implemented1. Login Validation2. API Authorisation3. Active Session Enforcement4. Dynamic Notification RoutingArchitectural Note