In the new version of Easymorph server, there is a new authorization needed to read connectors from server and modify it. So you may think that when you have the read only authorization you can not get the connector content but actually … you still can. Why ?
Because the repo.sqlite of one space must have the read rights for service account. And because the tasks are launched by the service account. So today one user can create a task listing all the files accessed by service account and their content. It means he can read the encrypted passwords inside repo.sqlite and use it in easymorph which is a security break. Generally speaking, it’s a real problem that a task is launched by service account, with service account rights, particularly on file system access.
How can this be secured ? Do you have any idea ?