keystone icon indicating copy to clipboard operation
keystone copied to clipboard

Published 20 hours ago verified publisher icon keystonejs

Access control in a field does not affect filtering by it

Open mariomnts opened this issue 3 years ago • 0 comments

I have a list which has no defined access control but one of their fields has a denied all access policy like the following but I am able to query ListKey filtered based on fieldName so I can’t really see that value but I could do brute-force and guess it. Is this something expected or this can be a security hole?

ListKey: list({
      fields: {
        fieldName: text({
          access: {
            read: ({ session, context, listKey, fieldKey, operation, item }) => false,
            create: ({ session, context, listKey, fieldKey, operation, inputData }) => false,
            update: ({ session, context, listKey, fieldKey, operation, inputData, item }) => false,
          },
        }),
      },
    }),

mariomnts avatar Jul 12 '22 15:07 mariomnts