CockpitQL icon indicating copy to clipboard operation
CockpitQL copied to clipboard

Published 20 hours ago verified publisher icon agentejo

Respect cockpit permissions

Open lucalanca opened this issue 6 years ago • 2 comments

Current

It seems that the token parameter is always needed when getting data. Even if the requested data has public visibility.

Expected

  1. The token is only required when needed. If all the queries have public visibility, then the token is not required.

lucalanca avatar Feb 27 '19 12:02 lucalanca

Additional data: permissions logic added to the collection (via the CRUD code editor fields under Permissions tab) is not respected when querying via cockpitql. This is a security concern, as potentially sensitive data could be exposed on the cockpitql endpoint.

gryphonmyers avatar Sep 18 '19 23:09 gryphonmyers

@aheinze This seems pretty critical for production use

gryphonmyers avatar Sep 18 '19 23:09 gryphonmyers