Track Hospitality — API Access Matrix

Client: Awayday / CMSC
Tester: R. Rittich
Date: 2026-03-12
200
Access Granted
403
Denied / Blocked
RBAC
Role-Dependent
N/A
Not Applicable
?
Untested
! Critical Finding Row
Data Endpoints
Credential Endpoints
Web UI Config
Role Comparison
Cookie vs JWT
API Endpoint Session CookieCookie: TrackAuth={hash} JWT BearerAuthorization: Bearer {token} Server KeyBasic Auth — permanent Channel KeyBasic Auth — permanent
PMS / CRM Data
/api/pms/reservations/ 200 200 200 200
/api/pms/owners/ (Tax IDs) PII 200 200 200 403
/api/pms/owners/statements/ 200 200 200 403
/api/crm/contacts/ 200 200 200 403
/api/users/ 200 200 200 403
/api/pms/folios/ 200 200 200 403
/api/pms/channels/ 200 200 200 403
/api/files/ (S3 URLs) 200 200 200 403
/api/pms/maintenance/work-orders/ 200 200 200 403
/api/pms/documents/ 403 403 ? 403
Property / Inventory
/api/pms/units/ 200 200 200 200
/api/pms/nodes/ 200 200 200 200
/api/pms/images/ 200 200 200 200
Financial / Accounting
/api/pms/accounting/gateways/ 200 200 ? 403
/api/pms/accounting/accounts/ 200 200 ? 403
Credential / Config Endpoint Session CookieCookie: TrackAuth={hash} JWT BearerAuthorization: Bearer {token} Server KeyBasic Auth Channel KeyBasic Auth
/api/preferences/ (Twilio, Plaid, E-Sign, KMS, EIN) API-010 200 200 401 401
/api/crm/preferences/ (Angular SPA — RBAC enforced) RBAC RBAC 401 401
/api/authentication/ (JWT issuance) API-009 200 200 401 401
/api/pms/accounting/gateways/ (masked credentials) 200 200 ? 401
Web UI Page (server-rendered PHP — not /api/) Super User Cookie Staff/GM/PU Cookie JWT (any role) Server Key Channel Key
/system/api-keys/ (server key listing) API-004 200 302 302 N/A N/A
/system/api-keys/view-data/{id}/ (key+secret AJAX) API-004 200 302 302 N/A N/A
/pms/config/channel/update/{id}/ (channel key+secret in HTML) 200 302 302 N/A N/A
/pms/config/gateway-preferences/{type}/ (payment creds — plaintext) 200 302 302 N/A N/A
Action Super User Staff / GM / PU External Partner(Channel Key) External Integration(Server Key)
Data Access
Reservations, owners, contacts, folios, users, files Full Full Blocked Full
Reservations, units, nodes, images only Full Full Full Full
Credential Harvesting
Third-party API creds (Twilio, Plaid, KMS, EIN) API-010 Full Full Blocked Blocked
Track server API keys API-004 Full Blocked Blocked Blocked
Track channel API keys Full Blocked Blocked Blocked
Payment gateway credentials (plaintext) Full Blocked Blocked Blocked
Auth Capabilities
Obtain 24-hour JWT API-009 Yes Yes Blocked Blocked
Web UI config page access Full 302 N/A N/A
Behavior Session CookieCookie: TrackAuth={hash} JWT Bearer TokenAuthorization: Bearer {token}
Access Scope
API data access Full Identical
/api/preferences/ (third-party creds) 200 200
Web UI config pages Role-dep. Always 302
Persistence & Risk
Survives logout API-009 No — killed Yes — 24hrs
Survives password change No Yes
Idle timeout ~45 min None
Revocation mechanism Logout / kill None
Issuance
Issued via Login (browser) /api/authentication/ (cookie exchange)
Cross-tenant isolation Tenant-bound Tenant-bound

Findings

10
API-001 through API-010

Critical

API-010
/api/preferences/ RBAC bypass

Tenants Tested

4
Cross-tenant isolation confirmed

Auth Methods

4
Cookie, JWT, Server Key, Channel Key