Able to call ExecuteFunction from a TitleId to multiple different environments

Hi,

I'm able to access all TitleIds from a single one that I'm logged in. In our game we have different TitleIds for Dev, QA and Prod. I can call ExecuteFunction on functions on Dev when logged in on Prod. Steps to reproduce:

Call LoginWithEmailAddress with a player that exists already in both Prod and Dev, pointing to the Prod TitleId.
Get the resulting EntityToken from the response.
Call ExecuteFunction with Prod TitleId and title_player_account Entity.Id the Id from the Dev player.

Results: The Execute function is run on Dev even though we are pointing to Prod.

Expected results: I would say an error as the title_player_account from Dev does not exists on the TitleId Prod we are pointing to when calling the ExecuteFunction. Also, the EntityToken should be generated and validated for the Prod env we logged in and shouldn't let you valid access to different environments just by changing the Entity.Id in the call.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Infer Wang commented · Jan 26 at 09:19 AM

Let’s represent Prod’s account with account A, Dev’s account with account B. After calling the function using account A’s entity token and account B in request body, will there be any change to account B?

0 ·