You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users with backend access, but without read permission for collections can access all entries of all collections via internal api. This enables the content link functionality, but makes the CMS useless for multi user setups.
Steps to reproduce:
create collection "sensitive_data" with at least one entry
create role "restricted" and keep all permissions disabled
assign role "restricted" to a user
login as that user
open url in browser to access internal api directly
Display all entries of "sensitive_data" via /content/collection/find:
Users with backend access, but without read permission for collections can access all entries of all collections via internal api. This enables the content link functionality, but makes the CMS useless for multi user setups.
Steps to reproduce:
Display all entries of "sensitive_data" via
/content/collection/find
:https://domain.tld/content/collection/find/sensitive_data?options[]=
Without the
?options[]=
parameter, an error is thrown.Display a single entry of "sensitive_data" via
/content/populate
(if_id
parameter is known):https://domain.tld/content/populate?data[0][_model]=sensitive_data&data[0][_id]=779af80a3132308ce20003bf
In v1 I disabled these open routes by default with my rljUtils addon and I never used collection links again.
The text was updated successfully, but these errors were encountered: