apinf / platform

Apinf - Open source API management platform with multi proxy and protocol support

https://apinf.com/

European Union Public License 1.1

74 stars 33 forks source link

ApiLogos.files collection security #1422

Closed brylie closed 6 years ago

brylie commented 8 years ago

The ApiLogos collection needs security rules, specifically for the following method:

insert
remove

Task

Double check all collection security rules, to make sure only authorized users can perform database operations:

Administrators can add/edit and delete any API logo.
API owner(s) can add/edit and delete the logo for their own API(s)

saransh-dev commented 7 years ago

Hi @brylie @bajiat ,

As I have checked,

Administrators can add/edit and delete any API logo.
API owner(s) can add/edit and delete the logo for their own API(s).

Both points working well.

Thanks & regards, @saransh-dev

bajiat commented 7 years ago

@saransh-dev

Did you also check this on the collection permission rules level?

saransh-dev commented 7 years ago

@bajiat Yes, I checked it by commenting the some code. Because when i logged with another user, I could not able to see settings tab. So i commented the condition for display the setting tab and click on save button and it shows error on browser console Access denied.

brylie commented 7 years ago

@saransh-dev what file did you comment code in? We are asking specifically about collection allow/deny rules. Did you look at the collection allow/deny rules?

saransh-dev commented 7 years ago

@brylie , Yes i also checked it in file permission.js.

marla-singer commented 6 years ago

@preriasusi Closed this issue because ApiLogo collections has correct permissions https://github.com/apinf/platform/blob/ce852bf7f099283c42999b437102625a947c11f3/apinf_packages/apis/logo/collection/server/permissions.js#L10-L23