search

pimcore / data-hub

Data delivery & consumption platform for Pimcore.
Other
125 stars 107 forks source link

Permission Denied on Asset in non configured Folder #200

Closed dpfaffenbauer closed 4 years ago

dpfaffenbauer commented 4 years ago

This is more a discussion than a bug-report. When you configure Data-Hub to only allow assets from folder "/products" and you create a query for an object that has an image outside that folder, DataHub triggers an internal server error/permission denied error.

Whereas IMO: It should just not serve the image. WDYT?

weisswurstkanone commented 4 years ago

I agree.

@dpfaffenbauer see https://github.com/pimcore/data-hub/blob/master/doc/graphl/Security.md regarding error handling.

Default setting is that such things get silently dropped. If this isn't the case then it sounds like a bug.

dpfaffenbauer commented 4 years ago

then it is a bug ;)

weisswurstkanone commented 4 years ago

@dpfaffenbauer , can you describe your data model in more detail? Is it a manytoonerelation, an image, hotspotimage, etc we are talking about ?

dpfaffenbauer commented 4 years ago

that is the query:

{
    getProductListing(first: 1, filter: "{\"o_modificationDate\": {\"$gte\" : \"1586800000\"}}") {
        edges {
            node {
                abiscoId
                images{
                  ...on hotspotimage{
                    image{
                      fullpath
                    }
                  }
                }
            }
        }
    }
}

As you can see, it is a gallery with hotspot images.

DataHub Config is pretty simple:

Allowed Assets but only allowed folder "/products". When you then upload an image to lets say "/default_upload_bucket" it fails.

weisswurstkanone commented 4 years ago

also related: https://github.com/pimcore/data-hub/issues/194

dpfaffenbauer commented 4 years ago

awesome, thanks