Secure way to allow Edit/Create/Delete for admin role users only without privilege escalation vulnerabilites.

[flachdaniel]

Hi!
I just started using pocketbase, loving it so far. I have a view only application for regular users and I want to create an app user with admin role which can create/edit/delete records.

I added a single select role field to the users collection:

And then for my other view only collection I added the following rules, so only users with admin role can create/edit/delete it:

In my application the users can edit their profiles. So allowing them the update rule on the users collection is a must.

How to prevent users from privilege escalation?
I solved it in this way (using request.data.role), so users are not able to create or update their role to "admin". Is this secure ? Is there a better "more pocketbasy" way of doing this?

[ganigeorgiev]

Yes, the above users Update rule is OK if you want to prevent "user->admin" updates but note that it will also prevent admins to edit their account (unless they downgrade to "user" or skip the role submission).

An alternative Update API rule could be:

// is the currently authenticated user
id = @request.auth.id &&
(
    // role is not submitted with the request, aka. no changes
    @request.data.role:isset = false ||
    // the submitted role is the same as the current record one, aka. again no changes
    @request.data.role = role
)

This will be simplified in the future as several users complained that the above is not always clear (eg. #4688) and I have it in my todo to think a little more on it but the general Go APIs refactoring is a higher priority for now.

Side-note: Depending on your use case, you may also want to mark the role field as "Nonempty" to prevent empty "" submission (if that's not allowed).

[flachdaniel]

Thanks for the answer! Did not think about the admin user updates, this is clear now. I was guessing from the examples on the https://pocketbase.io/docs/api-rules-and-filters/ page.