Server Action Security Restrict is not filtering out per Permission

Server Side Components Bugs
#1

Wappler Version : 2.1.3
Operating System : Windows 10

Expected behavior

Security Restrict should only proceed with actions (query1 in this case) for users that have the required admission (Admin in this case)
image

Actual behavior

However, all logged in users, regardless of the permission are able to execute query1.
(On the other hand, the Security Provider Enforcer on the frontend is filtering permissions properly but i believe that having this security issue on the backend is a serious security problem)

How to reproduce

cf. previous picture

2.1.4 Security restrict update, selecting multiple permissions? Not updated on Mac
#2

Hi @Elias,
We are going to check this.

1 Like
#3

Hi @Teodor were you able to reproduce the above?
thanks

#4

Can confirm this is happening for me as well.

PHP deployment.

1 Like
#5

Thanks @mebeingken for your feedback
@George @Teodor I believe this a serious security issue then, can you please advise on how to address this bug?

#6

@Elias
I am just investigating this now - will let you know if there’s a bug with this.

1 Like
#7

This turned out to be a small typo in the code.
Will be fixed in today’s update.

Note this problem only affected selecting specific users roles. The security restrict step is working fine restricting every non-logged user :slight_smile:

#9

yes agreed. that’s what I was mentioning:

image
image.png903×142 26.8 KB

Thank you for solving it

#10

Thanks for the update in 2.1.4…now working!

2 Likes
#11
#12