No Access Controls On Client Portal Templates/Relations Allows Unauthorized Access Of Client Data.

[GlitchWitch]

Hey there,

I'm testing out budibase to help me build a project management and client portal not too dissimilar from the Agency Client Portal Template. However when setting this up there does not appear to be any real access controls in place to prevent clients from viewing other clients data?

For example, if I add a new Basic user and set their client to Client2 they only see projects tagged with Client2 within the budibase application. However if they were to intercept the request made for this data they would see the following:

"equal":{"Client":"Client2"},

If they change this to "equal":{"Client":""}, they would have access to all projects across all clients.

Am I missing something here? What can be done to prevent this? Certainly there must be a way to prevent this that wasn't included in this template or the documentation, it's a security and compliance nightmare. Not to mention it goes against the advertising on the template:

It’s also crucial to ensure that client data is not shared with unauthorized parties.

---

Steps to reproduce

1. Use the Agency Client Portal Template
2. Edit any entry under the Agency Projects table and change the client to Client2
3. Create a new user with basic permissions, add Client2 to the client field.
4. Login as this user, observe that only one project is visible on the app.
5. Repeat the request, but remove the "equal":{"Client":""}, filter from the HTTP request.
6. All projects become visible to client.
   

---

Edit: I tested this against the Client Portal for Accountants template and found the same thing:

Can we get an updated guide and templates that call out how to properly secure this kind of data?

[mjashanks]

Hi @GlitchWitch

Thanks for reporting this. You're right - we RBAC doesn't currently support the ability to control access per record or per related records. It's simply read/write on the entire table.

I wouldn't equate this to "rbac non-existent" though.

It definitely raises the issue of a "Client Portal" template though - so thank you :)

[GlitchWitch]

Thanks for the reply @mjashanks! I'm glad you can see why the lack of this kind of access controls does pose an issue to the security of data in the advertised Client Portal use case of Budibase.

Are per related record access controls something that we'll see implemented in Budibase anytime soon?

[GlitchWitch]

p.s I've updated the title to more accurately reflect this topic, as you are right "rbac non-existent" does not quite fit.

[mjashanks]

Are per related record access controls something that we'll see implemented in Budibase anytime soon?

It's not on our roadmap at the moment. It does get asked for now and again, so I'd like to get it done eventually - but it wont be in the next few months for sure.

I have logged a feature request here: #4789

[GlitchWitch]

Hey @mjashanks, was this something that was ever addressed? I see the logged feature request is still open.