Users with backend access, but without read permission for collections can access all entries of all collections via internal api. This enables the content link functionality, but makes the CMS useless for multi user setups.
Steps to reproduce:
create collection "sensitive_data" with at least one entry
create role "restricted" and keep all permissions disabled
assign role "restricted" to a user
login as that user
open url in browser to access internal api directly
__Display all entries of "sensitive_data" via /content/collection/find:__
aheinze
commented
1 year ago
Users with backend access, but without read permission for collections can access all entries of all collections via internal api. This enables the content link functionality, but makes the CMS useless for multi user setups.
Steps to reproduce:
__Display all entries of "sensitive_data" via
/content/collection/find:__https://domain.tld/content/collection/find/sensitive_data?options[]=Without the
?options[]=parameter, an error is thrown.Display a single entry of "sensitive_data" via
/content/populate(if_idparameter is known):https://domain.tld/content/populate?data[0][_model]=sensitive_data&data[0][_id]=779af80a3132308ce20003bfIn v1 I disabled these open routes by default with my rljUtils addon and I never used collection links again.