Short URLs no longer seem to honor the security_tenant designation, produces 404 error

Hello. I’m running into this issue after upgrading to 2.1.0.

  • Have a multi-tenant setup in place.
  • Create a Short URL, which has a tenant designation included, like this one:
  • Switch your tenant in the UI to some other tenant. So your session is not longer active on “my-awesome-tenant”.
  • Try to navigate to the Short URL you created in the previous steps.
  • You’ll find you get a plaintext 404 error message. {"statusCode":404,"error":"Not Found","message":"Saved object [url/765d02d648d8a53030ec68362e846e42] not found"}

If you switch to the target tenant “my-awesome-tenant” in your UI, then navigate to the Short URL you generated, bam it works. It seems the ?security_tenant=my-awesome-tenant part of the Short URL is no longer being honored or executed sufficiently.

I’m able to reliably recreate this. I’m having to tell my stakeholders they must switch their tenant in the UI to the target tenant before attempting to navigate to any Short URLs. Less than ideal.

This issue happens with fresh new Short URLs, so it doesn’t seem to matter if the Short URL was part of an upgrade or import.

Looks like there is already a github issue for this, and apparently the fix will be in the upcoming security plugin version