New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't fetch populate private data #1678
Comments
Well, that is big. Good news it is still in alpha :) |
@arsenx I think there is a miss understand about permissions and data access. Permissions not block relations data access but it block controller actions. |
@lauriejim I think what he is saying is that via the REST route that data wouldn't show up (could be wrong, haven't tried setting up a relation to users model) But that GraphQL is doing something that REST blocks |
@arsenx were you able to get password hashes? |
Password hashes are not returned due to a parameter on the field in strapi which I will check later today. This parameter option is not shown on the GUI. I know that GraphQL is not supposed to handle this but there should be some more light shed on this situation since this does not occur in standard REST calls. It may be confusing at first because we do set access control for the field but this does not apply in the even of a relationship call.
Let me know if you would like me to write in more detail.
… On Aug 22, 2018, at 12:10 PM, DMehaffy ***@***.***> wrote:
@arsenx <https://github.com/arsenx> were you able to get password hashes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#1678 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFdDX2kRpQjGcjQgSv7vvUrPc23poisdks5uTYJ-gaJpZM4VpTuV>.
|
I don't well understand the issue here. You got the exact same result using the REST API than using the GraphQL. I've tried to reproduce it with this basic schema: Private:
Public:
So, creating a 'private' object, and a 'public' object linked to it. Allowing permission for unauthenticated users to perform 'GET' only on '/public' endpoint. Here is the result I get using the REST API:
And using GraphQL:
So, the problem does not seem to come from the GraphQL plugin, since the behavior are the same. However, it is true that it would be great to have 'fine' permissions system. |
See #2161 |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/privacy-issue-with-graphql-users-permissions-plugin/3212/1 |
I guess this issue should be reopened |
Informations
What is the current behavior?
When querying a private table that has a relationship to a public table we are able to get access to unauthorized data.
Steps to reproduce the problem
GraphQL query a private table though a public table
Here is a link to a video I made to show the behavior. https://www.useloom.com/share/f3998defd8ad4c0a8600c8f66dce81c0
What is the expected behavior?
Return unauthorized message
Suggested solutions
Many ways to go about this depending on the source code which I haven't gone through.
The text was updated successfully, but these errors were encountered: