search

OfficeDev / microsoft-teams-apps-requestateam

Power Platform based solution that allows users to request teams and automates team creation. NO LONGER MAINTAINED. Please use 'Provision Assist' - https://github.com/pnp/provision-assist-m365/ instead.
MIT License
235 stars 66 forks source link

Security Issue with SharePoint Connection #371

Open svoytas opened 2 years ago

svoytas commented 2 years ago

Description

Please correct me if I am wrong, but as far as I understand the app user has to have read and write access on the "Teams Requests"-List, because within PowerApps the SharePoint Connector always works in the context of the current user. And we use that very same connector to

That means that by design every user in my organization, who wants to use the app, must be granted read and write permissions on that list.

But what stops a user from simply opening the SharePoint List in the browser and creating a new entry with an "Approved" status, hereby triggering the logic app, that will actually create a new team without any approvement?

Steps to reproduce

  1. Open SharePoint
  2. Login as normal user
  3. Edit the list (create new entry or self-approve another Pending entry by editing the status)

Expected results

List cant be edited

Actual Results

Logic App is triggered - team is created

Solution component

Power App

Operating system (environment)

Windows

Additional Info

No response

dav1dbailey commented 8 months ago

Can an update be provided for this issue please? Still waiting triage since 08 2022!