Security concerns

[FelipeTrost]

Leaked user environments

The server action getAllUserWorkspaces in src/management-system-v2/lib/sharing/process-sharing.ts, doesn't verify who is requester, meaning that if you know a user's ID, you can get the organizations he is a part of.

generateSharedViewerUrl

generateSharedViewerUrl in src/management-system-v2/lib/sharing/process-sharing.ts doesn't verify the requester, from what I can see, this means that if you know a process' ID and when it was shared you can access it. Even if the timestamp is not known, it is easier than brute forcing the share secret.

[anishsapkota]

Thanks, I will look into it.