users without read permission can access all items via internal api (backend)

[raffaelj]

Users with backend access, but without read permission for collections can access all entries of all collections via internal api. This enables the content link functionality, but makes the CMS useless for multi user setups.

Steps to reproduce:

• create collection "sensitive_data" with at least one entry
• create role "restricted" and keep all permissions disabled
• assign role "restricted" to a user
• login as that user
• open url in browser to access internal api directly

Display all entries of "sensitive_data" via /content/collection/find:

https://domain.tld/content/collection/find/sensitive_data?options[]=

Without the ?options[]= parameter, an error is thrown.

Display a single entry of "sensitive_data" via /content/populate (if _id parameter is known):

https://domain.tld/content/populate?data[0][_model]=sensitive_data&data[0][_id]=779af80a3132308ce20003bf

In v1 I disabled these open routes by default with my rljUtils addon and I never used collection links again.

[aheinze]

Should be fixed in dev. Thanks!