Fix permission issue - Githubissues

strapi-community / strapi-plugin-slugify

A plugin for Strapi Headless CMS that provides the ability to auto slugify a field for any content type.

https://market.strapi.io/plugins/strapi-plugin-slugify

MIT License

45 stars 21 forks source link

Fix permission issue #29

Closed remidej closed 2 years ago

remidej commented 2 years ago

Currently the plugin bypasses the permission checks of the users-permissions plugin.

To reproduce the fix, disable a content type's permissions for the public role. It won't be available through Strapi's /api/:contentType route anymore. But you can still access it on the /api/slugify/slugs/:modelName/:slug route, which is a security issue.

To fix it, I added auth information when sanitizing the response. It's what we do on our content API.

ComfortablyCoding commented 2 years ago

Thank you very much for the PR, unfortunately when I test it I still run in to the following issues:

For any content type, if the permissions are unchecked I can still query the actual data.
For any content type, no matter if permissions are provided for the relation, it will not show.
For any content type that has a user relation it will not show no matter the permissions set.

ComfortablyCoding commented 2 years ago

This has been resolved by #32 and #33