To further supplement why this exisiting in this system is unacceptable please review this stackoverflow link from 2011. security - Are secret URLs truly secure? - Stack Overflow
Giving up the UUID of a device that from what I can tell doesn’t even change via a complete reset and an oauth token that will allow you access to every dashboard until you reset it and have to rebuild any and all dashboard links.
You have a portal that has login capablility. This could be utilized to get an oauth token with a refresh token. Which would typically be stored in a cookie and not exposed directly as part of the URL. Which could keep a season logged in for a very long time. This would also provide sessions that could be revoke for dashboards.
The system as it stands now allows no ability to revoke access without then granting access back to everyone with access it also will not grant partial access unless everything is secured by a separate pin
If you read the post that started this all it is about a usablity issue in the dashboard menu that has been know about for over a year
The cause is the mixed content which almost every modern browser is blocking.
If these are not specific enough thn please reach out and i can provide further documentation.
