search

agentejo / CockpitQL

GraphQL addon for Cockpit CMS - https://github.com/agentejo/cockpit
70 stars 7 forks source link

Respect cockpit permissions #14

Open lucalanca opened 5 years ago

lucalanca commented 5 years ago

Current

It seems that the token parameter is always needed when getting data. Even if the requested data has public visibility.

Expected

  1. The token is only required when needed. If all the queries have public visibility, then the token is not required.
gryphonmyers commented 5 years ago

Additional data: permissions logic added to the collection (via the CRUD code editor fields under Permissions tab) is not respected when querying via cockpitql. This is a security concern, as potentially sensitive data could be exposed on the cockpitql endpoint.

gryphonmyers commented 5 years ago

@aheinze This seems pretty critical for production use