Bug Report from ASmyth #2019-3-2_23-21-55

security

#1

OS info

  • Operating System : Mac OSX 18.0.0
  • Wappler Version : 1.9.6

Problem description

Security Restrict does not work as expected when used to “Secure your server side data” for any role other than “All Logged In” in the back end.
When I log the all the queries to my DB I do not see a query that is checking the roles that a user ID has before returning the data. As a result any user that is logged in can see the data returned by the action regardless of the required role.

On the contrary, when I use the roles on the front end to deny access to a page (as described here) the roles work as expected - I get a “Forbidden” response if I try to access a page that requires a role that my user ID is not in. If I log the queries to my DB I can see a select query that runs to check that the user is in the required group.

Steps to reproduce

  1. Follow the tutorial to Secure your server side data
  2. Add additional roles in the Security Provider
  3. Set the role to require a group other than “All Logged In”
  4. Create a server connect action that requests the data
  5. Log a user in that is not in the group set in step 3.
  6. Request the data

This is related to the discussion that I started here and that I spent a few hours testing further today.


#2

Hi @ASmyth,
I will test this and will let you know what’s wrong.


#3

I have been able to create a work around which runs a database query to check the users group (same query as the front end) called AdminRestrict. Then I run a condition {{AdminRestrict.count() > 0}} to determine if they are allowed access.