Mobile app lets users circumvent role limitations - should respect role permissions

[fewobergsonne]

At the moment, using the mobile app as a restricted user lets you circumvent some security related restrictions.

Specifically in my case, we have a sub-account for the cleaner. The cleaner is set to the role "Cleaner" which results in being able to look at the names and dates of the guests for the next stays, but not at the prices and of course not the messages we exchange with the guests - at least when being logged in via browser.

It now occured to me that the cleaner can indeed access the prices charged for the stay and also access the guest's communication when using the mobile app! The security settings connected to the role are not taken into account when using the mobile app. This is fatal to me because it violates some data privacy regulations in people seeing information that they are not entitled to see (internal vs. external).

[ashergibson]

Thank you for bringing this to our attention. This is something we're currently reviewing, and we appreciate you highlighting how it’s affecting your setup.

[fewobergsonne]

Thank you for bringing this to our attention. This is something we're currently reviewing, and we appreciate you highlighting how it’s affecting your setup.

Thanks for your feedback. I created a workaround for our cleaners which should work 'okay' for the moment. I believe it is best for both users and Beds24 to have a permanent solution for this and am happy if you are very aware of the situation.

[beachcomberboss]

@fewobergsonne

What's the workaround?

@Beds24

I'm also interested in this.

[ashergibson]

We are certainly aware of this issue. While we can’t give a timeline, a permanent solution may be implemented in the future.

[24bedslad]

I would like to know when this is fixed too. I also would like my cleaner to use the app to see room status but not prices or messages.