loopback-component-access-groups icon indicating copy to clipboard operation
loopback-component-access-groups copied to clipboard

Published 20 hours ago verified publisher icon fullcube

Undocumented access control bypass mechanisms

Open RossWilliams opened this issue 8 years ago • 0 comments 

if (ctx.options.skipAccess) {
  debug('skipAccess: true - skipping access filters');
  return next();
}
// Do not filter if the request is being made against a single model instance.
if (_get(ctx.query, 'where.id')) {
  debug('looking up by Id - skipping access filters');
  return next();
}

These two access bypass mechanisms are undocumented and could expose data to unauthorised users.

  1. Document these bypass mechanisms
  2. Allow users to disable these through configuration options.

RossWilliams avatar Mar 18 '16 18:03 RossWilliams