Manual flows may cause security risks that the user isn't aware of #22299
Comments
|
the platform philosophy of being agnostic to this type of configuration is supported by the inclusion of $trigger.accountability on manually fired flows:
this way, it's up to the author of the flow to implement as much or as little security as they want. you can also enable/restrict visibility of specific flows within the app by changing a role's read permissions to the id's within directus_flows |
|
Misconfigured flows (and extensions) can definitely pose a security risk if permissions are not properly checked. The general rule of thumb is dont expose admin features to non-admin users unless you're certain the flow/extension is "safe" to do so. |
the problem is that i believe most users will not realise that a manual flow is NOT restricted to admins (even though it's ONLY shown to admins in the app), but actually PUBLIC! basically i'm arguing that a large part of flows created are "misconfigured" security wise without the creator realising. |
Describe the Bug
When creating a flow with trigger "Manual", the trigger Button will only be shown to Users with App & Admin access.
Therefore it's easy to assume that there is some sort of permission checking - which doesn't exist. IMO this poses a security risk.
I believe the best way to address this would be to add a permissions check to all Webhook/Manual flows, that by default only enables Admins to execute the flow. One could then give access to certain roles or to the public role as they wish.
In the meantime a warning should be shown when creating Manual/Webhook flows.
To Reproduce
Directus Version
v10.10.4
Hosting Strategy
Self-Hosted (Docker Image)
The text was updated successfully, but these errors were encountered: