Inconsistent tenant context in administrative support mode
Summary
An issue was identified in the administrative support mode ("view as customer") where the active customer context was not consistently applied across all services.
This could result in a mix of data being displayed when navigating between different parts of the platform during support sessions.
What Happened
WAYSCloud provides a support feature that allows authorized administrators to access the platform from a customer's perspective for troubleshooting and assistance.
During internal testing, we discovered that this feature behaved inconsistently across certain services.
While some components correctly resolved the selected customer context, others continued to operate using the administrator's own context.
This inconsistency was caused by differences in how authentication and authorization were handled across internal service layers.
Impact
The issue could lead to incorrect data being displayed in certain views when using administrative support mode.
The behavior was limited to internal support workflows and required authorized administrative access. It was not present in standard customer usage of the platform.
We have found no evidence of unauthorized data access or data extraction.
Actions Taken
- Standardized authentication and authorization handling across affected services
- Enforced consistent resolution of customer context in support mode
- Replaced implicit fallback behavior with explicit access validation
- Improved request context handling to ensure correct tenant attribution
- Added audit logging for administrative support activity
Preventive Measures
- Ongoing consolidation of authentication logic to reduce duplication
- Additional validation of request context across service boundaries
- Strengthened audit logging for privileged access patterns
- Continued work to simplify and standardize internal authorization mechanisms