Currently upon requesting /export of a data model there is no check for authorization. This is potentially dangerous, because an export is quite demanding on computing time, i.e. the server might be streaming data for several minutes or up to hours.
Introduce read-export as a new permission (action) and check whether the current user is authorized to read-export on the requested data model.
Currently upon requesting
/exportof a data model there is no check for authorization. This is potentially dangerous, because an export is quite demanding on computing time, i.e. the server might be streaming data for several minutes or up to hours.Introduce
read-exportas a newpermission(action) and check whether the current user is authorized toread-exporton the requested data model.Expected work-time: 1h