- Operating System : Mac OSX 18.0.0
- Wappler Version : 1.9.6
Security Restrict does not work as expected when used to “Secure your server side data” for any role other than “All Logged In” in the back end.
When I log the all the queries to my DB I do not see a query that is checking the roles that a user ID has before returning the data. As a result any user that is logged in can see the data returned by the action regardless of the required role.
On the contrary, when I use the roles on the front end to deny access to a page (as described here) the roles work as expected - I get a “Forbidden” response if I try to access a page that requires a role that my user ID is not in. If I log the queries to my DB I can see a select query that runs to check that the user is in the required group.
Steps to reproduce
- Follow the tutorial to Secure your server side data
- Add additional roles in the Security Provider
- Set the role to require a group other than “All Logged In”
- Create a server connect action that requests the data
- Log a user in that is not in the group set in step 3.
- Request the data
This is related to the discussion that I started here and that I spent a few hours testing further today.