Hi Talhah,

Security is often overlooked by developers. Everyone should know that access rules should be carefully applied to all entities. Although overview pages may not exist, one can access any record in the database if not restricted correctly, as reveiled by the pentest. In that way, you can still do all the actions the testers did, but only have access to records you are allowed to access.

So, what to do?

1. Close your app for anonymous users if possible, to limit the exposure of future mistakes. 
2. Check the access rules for every entity in every module: the union of applicable rules will be applied
3. Check if the module roles are correctly linked to user roles (not granted too much module roles)
4. Check if users are correctly linked to users (not granted too much roles)

If you have any further questions or concerns, let me know!

Good luck! Johan

This sounds like you've not configured your application security properly. 

Security is a big topic, but an obvious thing to check is that individual users have XPath Constraints applied to their role that limit access to data only to that specific user. You can give admin users more powerful roles that have the ability to access other's details if necessary.

I suggest refreshing yourself with Access Rules in the Mendix documentation as it covers how to do this.

https://docs.mendix.com/refguide/access-rules/

You may also want to look at the Configure Advanced Security learning path in the Mendix Academy as it covers this topic in greater depth.

https://academy.mendix.com/link/paths/9/Configure-Advanced-Security

Good luck!