search

kuzzleio / kuzzle

Open-source Back-end, self-hostable & ready to use - Real-time, storage, advanced search - Web, Apps, Mobile, IoT -
https://kuzzle.io
Apache License 2.0
1.43k stars 123 forks source link

Erroneous response from getUserRights #1095

Closed scottinet closed 6 years ago

scottinet commented 6 years ago

@plavacquery wrote:

Wrong response from Kuzzle when retrieving user rights.

Expected Behavior

Expected response from Kuzzle : 

"result": {
        "hits": [
            {
                "controller": "*",
                "action": "*",
                "collection": "a66-private",
                "index": "a66",
                "value": "allowed"
            }

Current Behavior

Actual response from Kuzzle : 

"result": {
      "hits": [
          {
              "controller": "*",
              "action": "*",
              "collection": "a",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "6",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "-",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "p",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "r",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "i",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "v",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "t",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "*",
              "action": "*",
              "collection": "e",
              "index": "a66",
              "value": "allowed"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "a",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "2",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "-",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "p",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "r",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "i",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "v",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "t",
              "index": "a66",
              "value": "denied"
          },
          {
              "controller": "index",
              "action": "list",
              "collection": "e",
              "index": "a66",
              "value": "denied"
          }

You can see that we received a list which each letter of the 'a66-private' collection correspond to the letter in the collection fields

Possible Solution

Steps to Reproduce

  1. Create an index a66 and a collection a66-private
  2. Create the following role 
    {
"policies": [
{
  "roleId": "paul-role",
  "restrictedTo": [
    {
      "index": "a66",
      "collections": [
        "a66-private"
      ]
    }
  ]
}
]
}
  3. Use the getUserRights route from the API

Context (Environment)

Kuzzle : 1.2.13

Discussion taken from that issue: https://github.com/kuzzleio/documentation/pull/474

scottinet commented 6 years ago

Profiles restriction format are not enforced correctly: profiles with restricted collections set as a string (instead of an array) are accepted by Kuzzle.

This leads to the response seen here: a string parsed as though it was an array.

A fix will be submitted ASAP to prevent profiles with invalid format to be accepted by Kuzzle.