search

WebVella / WebVella-ERP

Free and open-source pluggable ERP and CRM software based on ASP.NET Core 8, RazorPages and PostgreSQL . Targets Linux or Windows as host OS.
https://webvella.com/documents/developer/introduction/overview
Other
1.24k stars 464 forks source link

API Bug #185

Closed 28106830 closed 1 year ago

28106830 commented 1 year ago

The model is configured to only specify user searches

However, with API, any user can search

bzashev commented 1 year ago

Can you send me some more details on the exact entity setup as I cannot simulate this locally. Thanks

28106830 commented 1 year ago

Preliminary work:

  1. Create a new usera

  2. Create a module: aaa, add fields: col0, col1

  3. Set the access permission module aaa, and no one has permission

  4. Add two lines of data to module aaa

Start test:

Use postman

  1. Log in as user a

  2. Access address: localhost: 50578/api/v3/en_ US/eql with parameters:

{

"Eql":"SELECT * FROM a",

"Parameters":null

}

  1. According to the configuration, it should be impossible to search, but actually all the data will be searched

I use Baidu Translation, which may be

bzashev commented 1 year ago

We were able to simulate the bug, we are looking into how we can fix it

rumen-yankov commented 1 year ago

fix is submited but we will test it before package and publish in next nuget.