This repository has been archived by the owner on Jan 6, 2023. It is now read-only.
Enforce read blacklist permission on filter #717
Comments
|
If an user has read blacklist permission set to a field it shouldn't be able to filter by its content. This is a similar issue that was reported with #667. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
OK, I figured it out, I found in UI where do I set it up. I would suggest to make it visible that you can actually click on "All" to expand fields. I would suggest to have a blue link "edit" next to All or something like this, it's not hard to do! Then I had a look how to fix this permission issue in a similar way like here: d5edccb It was easy to find, that we need to add permission check here https://github.com/directus/directus/blob/master/src/core/Directus/Database/TableGateway/RelationalTableGateway.php#L815 (or probably on fetchData level later) After that I realized, that we have different permissions for each status: for some statuses we can have read permissions for some statuses not. For example no read permission for "draft" status and have it for all other statuses. How this fix should work than? Should we block it anyway? Or should we filter only those records which have statuses with read permission if we search for all statuses? |
|
Thanks @alex-gorovyi!! It seems that if you do not have permission to a field for a specific status that we should ignore those items entirely, but still show/filter any other items where you do have permission to that field. Does that make sense? I know this is pretty complicated! |
itsmerhp
pushed a commit
to itsmerhp/api
that referenced
this issue
May 9, 2019
binal-7span
pushed a commit
that referenced
this issue
May 15, 2019
|
Fixed in #944 |
binal-7span
pushed a commit
that referenced
this issue
Jun 17, 2019
* pgsql 10 initial support * email_notification column must be set as a boolean * Handle unique column collisions * BUG delta in revisions can be null * BUG transformed the remaining lastInsertValue into getLastGeneratedId() * Pass new item flag to o2m new items Closes https://github.com/directus/app/issues/1418 * Don't show popover for 0 items / no template Closes https://github.com/directus/app/issues/1397 * Bug fix (#848) * Merge conflict resolve * Handle item not found exception in collection detail API * Extended the list of safe tags (#849) As described in issue #832 * Issue fix #819 (#851) * Mark adding new item as new in m2m * Bump version * Revert composer changes * Issue fix #843 (#852) * BUG searches with LIKE on non-textual columns * Remove the extensions from the API * Issue fix #847 (#857) * Issue fix #833 (#859) * Initial commit for documentation (#844) * Revert "Initial commit for documentation (#844)" (#868) This reverts commit 6e85d59. * BUG Bypass Zend-db choice not to allow nullable boolean fields * BUG field length were not taken into account * CHORE dupliacted line * BUG o2m working + post-alter table event dispatching * Return object in delete after hook instead of onli ID (#882) * Add fix for big file sizes Closes #750 * Add migrations for hash and single-file * Show correct fields in roles.users For some reason the database column for options was empty Closes https://github.com/directus/app/issues/1471 * Delete ISSUE_TEMPLATE.md * security notice * Add check for mod_php before setting php_value for upload size This will prevent errors on systems that don't allow overriding the php values from within the .htaccess files. This will only check for php 7+ though, as the mod_php directive is version specific. This is okay for now, as we officially only support PHP 7.1+ * Change field width from integer to string This will allow the app to render the fields in the correct widths starting with v7.2. * Issue fix #854 (#896) * Add migrations for setting field notes and widths Lays out the settings a bit nicer and adds setting descriptions. Fixes https://github.com/directus/app/issues/1379 * Fix sort order of fields on install * Increase specificity of migrations so it doesn't target non-settings * Move collection notes to the DB I'm aware that this makes them english only for the time being. Once we implement the using the translation column in the app, we can make them properly translatable. * Fix abstraction name * Add migrations for misc fields Sorting of files, making a couple interfaces required, etc * Bump version * Fix: Wrong MIME for extentions in uppercase (#895) * FEAT more events that invalidate the cache (#892) * Allowing string relations (#800) * emoji support for comments and bookmark names * Use JSON interface for system collections * Fixing custom primary key primary key column name (#881) Swapping this variable seems to resolve the issue. * Bump version * Issue #885 (#898) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * Issue#885 - Done * #885 Removed Test cases * Issue #886 (#899) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * Issue#885 - Done * Issue#886 - Done * #886 Reverted unwanted code * Issue #884 (#901) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #884 Done * #884 Removed Test cases * Issue #884 - Change (#907) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #884 Done * #884 Removed Test cases * #884 change * Fix#810 (#908) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #810 done * #810 Reverting Test Cases * Issue Fix #902 (#909) * Issue fix #902 * Add migration for allow value nullable in settings table * Set texttype for value field * Doc issue fix #84 (#910) * Issue fix #841 (#911) * Increase expiry time of tokens from 5 to 20 minutes (#913) It should still be pretty secure. This allows the app to go easier on the refreshing, and it makes sure that you can upload large files without having the token expire halfway through. * Fix missing ref to 5 min exp * Issue Fix #863 (#916) * Issue fix #853 (#918) * Issue Fix #920 (#922) * Issue Fix #920 * Issue Fix #920 * Issue fix #879 (#924) * [thumbnailer] Support for files in subdirectories (#856) Many websites store images in a complex directory structure. This PR makes it possible to use thumbnailer in such cases. For instance : `/thumbnail/_/100/100/crop/good/complex/path/to/some-image.jpg * defaults cors.max-age to 600 (#921) * Bump version * Fix 943 (#947) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #943 * Fix 717 (#944) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #717 * Fix 576 (#926) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #576 - In progress * #576 O2M and M20 nested filters * #576 Fix O2M and M2O nested filters * get proper string length (#933) Not tested... I only based this PR on: Ref: 0fce6a4#commitcomment-33408113 * fixed settings logo (#940) * added collection/table to InvalidFieldException (#956) * Fix 931 (#936) * Test cases : AUthentication - Auth, Forgot Password, Collections - Create, Delete * #931 * #931 * Issue fix #917 (#960) * reuse item service instead of using a new instance (#959) * Issue fix 762 (#961) * Plain text mail issu resolve (#966) * Bump version
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Bug Report
Filtering by a read blacklisted field is not enforced. Even if the field is not on the result, you can still filter by the field value. (Ref: #667)
Steps to Reproduce
Add any field to read blacklist, and try to filter by that field.
Expected Behavior
It should throw an exception
Actual Behavior
No error, filter get processed.
The text was updated successfully, but these errors were encountered: