Ordering Portal Access Enforcement
Closed access control loophole in the ordering system
Problem
A Royston user (Lee) was able to order through the new Ordering Portal without having authorised access. She populated an FTS assessment through the new process despite her company not having portal access enabled.
From the Chatlogs
Matt raised the alarm on Feb 8:
"Royston User Lee somehow able to order through the new platform - how is this possible? She populated an FTS assessment through the new process without having access" Additionally, Royston users gained access via notification email links directing them to the Ordering Portal:
"Royston now has access to the new platform due to updated links in the email notifications. Please confirm if this is intended?"
Root Cause
Jayrex identified that portal access enforcement was inconsistent:
"The portal access toggle was being enforced at specific checkpoints, while some active sessions were still valid under existing authentication flow. In those cases, users could continue until the next enforcement point."
Fix
Access enforcement was tightened across three checkpoints:
- Login validation - checked at sign-in
- Ordering API authorisation - checked on every API call
- Active-session checks - retroactive enforcement for existing sessions
Impact
Prevented unauthorised project and order creation. Users from companies without Ordering Portal access now see an access restriction on sign-in.