data-api-builder
data-api-builder copied to clipboard
Azure
[Bug]: Update permission with a database policy on a field lets users change the field value
What happened?
Let's consider a database table called Books with a column sellerId. As an API owner, I would like my end-users to able to see or modify only specific rows and be able modify only specific fields not including sellerId. The below DAB config enforces that end-users can only see and modify rows where sellerId=1.
However, the observation is that they are able to modify sellerId value to any other value as long as the original value was 1 during updateBooks.
DAB config
"Books": {
"source": {
"object": "dbo.books_mm",
"type": "table",
"key-fields": [
"id"
]
},
"permissions": [
{
"role": "anonymous",
"actions": [
{
"action": "read"
},
{
"action": "update",
"fields": {
"include": [
"title",
"publisher_id",
"sellerId"
]
},
"policy": {
"database": "@item.sellerId eq 1"
}
},
{
"action": "create",
"fields": {
"include": [
"title",
"publisher_id",
"sellerId"
]
},
"policy": {
"database": "@item.sellerId eq 1"
}
},
{
"action": "delete",
"fields": {
"include": [
"title",
"sellerId"
]
},
"policy": {
"database": "@item.sellerId eq 1"
}
}
]
}
]
}
Removing sellerId from Update.Fields.Include does not help since DAB does not accept having a RLS condition with a field if that field is not included for update.
Unable to complete runtime initialization. Refer to exception for error details.
Azure.DataApiBuilder.Service.Exceptions.DataApiBuilderException: Not all the columns required by policy are accessible.
Version
1.4
What database are you using?
Azure SQL
What hosting model are you using?
Local (including CLI)
Which API approach are you accessing DAB through?
GraphQL
Relevant log output
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
