cap-js / change-tracking

CDS plugin providing out-of-the box support for automatic capturing, storing, and viewing of the change records of modeled entities.
https://cap.cloud.sap/docs
Apache License 2.0
22 stars 8 forks source link

Security Issue for Change View of Exposed Entity #133

Closed I590232 closed 20 hours ago

I590232 commented 4 weeks ago

Hi Team,

Trying to implement security for Change Tracking of an Entity through navigation but still able to access it by expanding through url. I have below service with ErrorPricing Entity for which Change Tracking is enabled. service ErrorPricingService { @(Capabilities: { InsertRestrictions.Insertable: true, UpdateRestrictions.Updatable : true, DeleteRestrictions.Deletable : false }) @odata.draft.enabled: true entity ErrorPricing as projection on errorPricing.ErrorPricing; }

Below is the security service implemented for the entity. annotate ErrorPricingService.ErrorPricing with @(restrict: [ { grant: ['*'], to : 'PriceAdminInternal' }, { grant: ['READ'], to : 'PriceViewerInternal' }, { grant: ['READ'], to : 'PriceAdminExternal' } ]);

I tried using below approach but it results in internal server error. annotate ErrorPricingService.ErrorPricing.changes with @(restrict: [ { grant: ['*'], to : 'PriceAdminInternal' }, { grant: ['READ'], to : 'PriceViewerInternal' }, { grant: ['READ'], to : 'PriceAdminExternal' } ]);

Below are the snapshots from the url from where I am able to access changes by expanding the url. ![Uploading Screenshot 2024-10-29 at 11.29.22 PM.png…]()

mvoros-rs commented 3 weeks ago

Hi,

isn't this a standard limitation of SAP documented here? https://cap.cloud.sap/docs/guides/security/authorization#limitation-deep-authorization

nkaputnik commented 20 hours ago

I would close this issue, since it's not a change-tracking related, but rather a CAP limitation