Skip to content
This repository has been archived by the owner on Dec 22, 2023. It is now read-only.

Able to query records with acl set to public:false #55

Closed
2 tasks
cheungpat opened this issue Jun 28, 2016 · 5 comments
Closed
2 tasks

Able to query records with acl set to public:false #55

cheungpat opened this issue Jun 28, 2016 · 5 comments
Assignees
@cheungpat
Milestone
0.13

Comments

@cheungpat
Copy link
Contributor

cheungpat commented Jun 28, 2016
edited by royuen

When a record is set with ACL [{"public": false}], fetching records by a user other than the owner exhibits correct behavior:

$ http localhost:3000 action=record:fetch access_token=5e6f8c43-3f6b-44ce-96c8-59a97525a4ba ids:='["comment/6a4f53e2-8102-4de1-b845-3d0d9249acdc"]'
{
    "result": [
        {
            "_id": "comment/6a4f53e2-8102-4de1-b845-3d0d9249acdc",
            "_type": "error",
            "code": 102,
            "message": "no permission to read",
            "name": "PermissionDenied"
        }
    ]
}

But querying for the record type will return the record:

$ http localhost:3000 action=record:query access_token=5e6f8c43-3f6b-44ce-96c8-59a97525a4ba record_type=comment
{
    "result": [
        {
            "_access": [
                {
                    "level": ""
                }
            ],
            "_created_at": "2016-06-28T05:58:58.174264Z",
            "_created_by": "f25fca56-073e-4b74-8a2f-ca040a085804",
            "_id": "comment/6a4f53e2-8102-4de1-b845-3d0d9249acdc",
            "_ownerID": "f25fca56-073e-4b74-8a2f-ca040a085804",
            "_type": "record",
            "_updated_at": "2016-06-28T05:58:58.174264Z",
            "_updated_by": "f25fca56-073e-4b74-8a2f-ca040a085804",
            "body": "Lovely!",
            "post": {
                "$id": "post/5ec13be4-b701-4502-b26c-a19ee1122180",
                "$type": "ref"
            }
        }
    ]
}
  • Skygear Server Date/Version: 0.12.1
  • Application Platform:
  • Is this a regression?
  • Attached logs, screenshots

Expected Results

Should not return the record because of ACL setting in place.

Actual Results

Returned the record, ignoring ACL setting.
@cheungpat
Copy link
Contributor Author

And I don’t know why the _access settings become [{"level":""}] instead of the intended [{"public": false}].

@cheungpat
Copy link
Contributor Author

I just tried with this ACL settings and record:query returns the record anyway:

                {
                    "level": "read",
                    "relation": "$direct",
                    "user_id": "713a3a64-743d-4e79-9b43-cb3ea888b504"
                }

@cheungpat cheungpat self-assigned this Jun 28, 2016
@cheungpat
Copy link
Contributor Author

Turns out [{"public": false}] is undefined and should not appear in the database.

@cheungpat
Copy link
Contributor Author

This is due to the request lacking database_id field, and this cause the query handler to ignore ACL.

@cheungpat cheungpat mentioned this issue Jun 28, 2016
Closed
@cheungpat
Copy link
Contributor Author

superseded by #58

@royuen royuen added this to the 0.13 milestone Jun 29, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cheungpat cheungpat

Labels
None yet
Projects
None yet
Milestone
0.13
Development

No branches or pull requests
2 participants
@cheungpat @royuen