Closed rgzr closed 6 years ago
When an user has permissions over prefix.a and does a *.list on that prefix, he receives objects starting with prefix.ab too... although he doesn't have permissions on those prefixes.
prefix.a
*.list
prefix.ab
Fixed in https://github.com/jaracil/nexus/commit/ce27347b07fec6adf8e0f06e3f5a233196d08e09 correctly restricting rethinkDB queries to allowed paths.
When an user has permissions over
prefix.a
and does a*.list
on that prefix, he receives objects starting withprefix.ab
too... although he doesn't have permissions on those prefixes.