With our next release (v0.8) we fixed and improved a lot around the security of applications. If you are an app developer, please check if your application is affected.
- We removed the user context from applications and devices.
- Applications get their own user within a project which has the same permissions like a project member.
- This means apps have always the same permissions, with the next release you will be able to extend the permissions and the user will be notified on the permissions needed when activated and started.
- The application frontend uses the application user, not the currently authenticated user for requests.
- It is not possible for the application to obtain the user-token and send it to the app backend anymore. If your application used this hack: it was always discouraged, please change it.