Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Big Security issue #9

Open
panos-stavrianos opened this issue Feb 5, 2024 · 1 comment
Open

Big Security issue #9

panos-stavrianos opened this issue Feb 5, 2024 · 1 comment

Comments

@panos-stavrianos
Copy link

Hello, this is basically opening up the whole database to the public.
Shouldn't be at least a very big warning about that in the README?
This extension is very useful, but unless this is addressed, it can only be used in closed environments.

Do you have any ideas about how to secure it?
Something query based, I think it would be a good start.

For example

  • User read permissions for cqp_queries: id in [1,2]
  • Public read permissions for cqp_queries: id in [3]

If you are interested in a PR i could give it a go!
@panos-stavrianos
Copy link
Author

I think that's it for a simple permissions check.

directus-extension-custom-query-panel/src/custom-query/index.js

Line 18 in fdce783

const customQueryService = new ItemsService(CUSTOM_QUERY_COLLECTION, { schema: req.schema });

Changed to this

const customQueryService = new ItemsService(CUSTOM_QUERY_COLLECTION, { schema: req.schema, accountability: req.accountability });

If the user (of the request) has not access to the query the directus will return

{
	"error": "You don't have permission to access this."
}

else it proceeds as before

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@panos-stavrianos