any-sync-filenode icon indicating copy to clipboard operation
any-sync-filenode copied to clipboard

Published 20 hours ago verified publisher icon anyproto

Skip write permission checks for read-only RPC calls

Open grishy opened this issue 8 months ago • 1 comments

Have you read a contributing guide?

  • [x] I have read CONTRIBUTING.md
  • [x] I have searched the existing issues and didn't find any that were similar
  • [x] I have considered creating a pull request with fixes instead of a bug report and want to proceed

Current Behavior

Thank you for the project ❤️ I'm developing a lightweight server for Anytype, reimplementing RPC for self-hosting.

I've observed that user verification currently requires confirming that a user has access not only to the Space but also to individual records. This seems redundant for read-only operations RPC.

Example

For the RPC method SpaceInfo, which returns the status of a Space:

https://github.com/anyproto/any-sync-filenode/blob/2b1efe48d690a23ffff386850d9c5ce943c60ef0/filenode/rpchandler.go#L217-L231

There's a call to StoreKey that always checks permissions.CanWrite():

https://github.com/anyproto/any-sync-filenode/blob/2b1efe48d690a23ffff386850d9c5ce943c60ef0/filenode/filenode.go#L191-L200

Expected Behavior

Consider verifying only that an account has access to the space without checking permissions.CanWrite() in all RPC calls. It would be beneficial to differentiate between CanRead and CanWrite permissions for all RPC operations.

Steps To Reproduce

N/A

Environment

N/A

Anything else?

No response

grishy avatar Feb 23 '25 06:02 grishy