search

alkem-io / server

Core server in the Alkemio platform, offering a GraphQL api for interacting with the logical domain model.
http://alkem.io
European Union Public License 1.2
26 stars 4 forks source link

BUG: Unauthenticated user can see private space references #3020

Open Comoque1 opened 1 year ago

Comoque1 commented 1 year ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://acc.alkem.io/graphql
  2. Perform the following query: 
    
query spaces {
space(ID:"hub-release-27-10-2022") {
authorization {
  anonymousReadAccess
}
nameID
profile {
  authorization {
    myPrivileges
  }
  displayName
  references {
    authorization {
      myPrivileges
    }
    id
    description
    name
    uri
  }
}
}
}

3. References data is returned, when user, doesn't have read privilege
![image.png](https://images.zenhubusercontent.com/5f5ff9fd50a1a94a1f25f32c/6c1b67ed-cb9b-418a-8da2-d66f4de204b3)

**Expected behavior**
TBD
techsmyth commented 1 year ago

@Comoque1 this one has potentially cascading implications. If I add a read privilege check on a profile then that would impact access to user profiles for other users etc. Moving to Icebox but tagging with security - to be picked up when we take a deeper look at that topic.