Server Action Security Restrict is not filtering out per Permission

Wappler Version : 2.1.3
Operating System : Windows 10

Expected behavior

Security Restrict should only proceed with actions (query1 in this case) for users that have the required admission (Admin in this case)

Actual behavior

However, all logged in users, regardless of the permission are able to execute query1.
(On the other hand, the Security Provider Enforcer on the frontend is filtering permissions properly but i believe that having this security issue on the backend is a serious security problem)

How to reproduce

cf. previous picture

Hi @Elias,
We are going to check this.

1 Like

Hi @Teodor were you able to reproduce the above?

Can confirm this is happening for me as well.

PHP deployment.

1 Like

Thanks @mebeingken for your feedback
@George @Teodor I believe this a serious security issue then, can you please advise on how to address this bug?

I am just investigating this now - will let you know if there’s a bug with this.

1 Like

This turned out to be a small typo in the code.
Will be fixed in today’s update.

Note this problem only affected selecting specific users roles. The security restrict step is working fine restricting every non-logged user :slight_smile:

yes agreed. that’s what I was mentioning:

Thank you for solving it

Thanks for the update in 2.1.4…now working!