Secure way to allow Edit/Create/Delete for admin role users only without privilege escalation vulnerabilites. #5103
-
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Yes, the above An alternative Update API rule could be: // is the currently authenticated user
id = @request.auth.id &&
(
// role is not submitted with the request, aka. no changes
@request.data.role:isset = false ||
// the submitted role is the same as the current record one, aka. again no changes
@request.data.role = role
) This will be simplified in the future as several users complained that the above is not always clear (eg. #4688) and I have it in my todo to think a little more on it but the general Go APIs refactoring is a higher priority for now. Side-note: Depending on your use case, you may also want to mark the |
Beta Was this translation helpful? Give feedback.
Yes, the above
users
Update rule is OK if you want to prevent "user->admin" updates but note that it will also prevent admins to edit their account (unless they downgrade to "user" or skip the role submission).An alternative Update API rule could be:
This will be simplified in the future as several users complained that the above is not always clear (eg. #4688) and I have it in my todo to think a little m…