When using Full Construction sources in Design, the page that auto generates is added to all WebApp groups with full edit/delete access. 1. That breaks the security model and 2. That is not made clear to the user. The group add should be controlled by the CranSoft.dbo.BaseGroup table like it is on the manual page add. At GenRe we are starting a security audit and came across these pages. I've confirmed this code is still executed as of 6.5.2.
webTargetSource_CreatePageIns is the SP that executes from Console and apiCranSoftWebAppGroupPage_AllGroups_Ins is the underlying SP in Common that adds the groups.
Here is the change I am making to the Common SP to add a join to BaseGroup:
[CranSoft].dbo.[WebAppGroup] INNER JOIN [CranSoft].dbo.[BaseGroup] ON
[CranSoft].dbo.[WebAppGroup].[GroupName] = [CranSoft].dbo.[BaseGroup].[GroupName]