Open GBrunelli opened 5 months ago
@GBrunelli I cannot see anything particular wrong with your query. However when I tried it out myself on a small database containing one (:Embeddable {embedding:[...]}) node I get null back for both columns as expected.
Can you share which other privileges the api_reader role has? And do the Embeddable nodes have additional properties on them?
Best regards Louise, Neo4j
@GBrunelli Another question, do you happen to have this set in your config file: dbms.security.procedures.unrestricted=apoc.*
I'm not sure if I found a major security flaw, or if I did not setup something correctly, but here's the thing: I added a custom role called 'api_reader', and denied this action for this particular role:
DENY READ {embedding} ON GRAPH neo4j NODE Embeddable TO api_reader
And when I try to read this property as someone with this role, I cannot, as expected.
But when I use apoc.convert.toJson in a node Embeddable, I'm able to read this property, here's an example:
Neo4j version: 5.17.0 enterprise