perak
Security issue on join
Hi @perak , I used join many times and found this accidentally. I explain issue based on invoices example that available online and easier to refer and see problem.
- Go to this page please.
- If I set join for a field, kitchen generate code with
publishJoinedCursorsfunction but issue occurs on client when I run this two command in above page: (for example in firebug console)
JSON.stringify(Invoices.find().fetch());
JSON.stringify(Customers.find().fetch());
JSON.stringify(Invoices.find().fetch());
"[{"_id":"5RnWyzwrF8cyrCCaY","invoiceNumber":"1","date":"2015-09-30T20:30:00.000Z","customerId":"LPMcKGjNY6ChnJwWk","createdAt":"2015-10-01T16:03:28.252Z","createdBy":"GQfJEuBw75WM4poRc","ownerId":"GQfJEuBw75WM4poRc","totalAmount":0}]"
JSON.stringify(Customers.find().fetch());
"[{"_id":"LPMcKGjNY6ChnJwWk","name":"Chuck Norris","email":"[email protected]","ownerId":"GQfJEuBw75WM4poRc","createdAt":"2015-10-01T16:02:53.532Z","createdBy":null,"totalAmount":0}
- This is field definition in json file:
"name": "invoices",
"fields": [
...
{
"name": "customerId",
"title": "Customer",
"required": true,
"input": "select",
"lookup_query_name": "customer_list",
"lookup_field": "name",
"lookup_key": "_id",
"show_in_dataview": false,
"show_in_read_only_form": false,
"exportable": false,
"join_collection": "customers",
"join_fields": ["name"],
"join_container": "customer"
},...
As you see I set "join_fields": ["name"] in join but in client all Customer field available for example "email":"[email protected]" and if email is a secret data it is a security issue.
How to define join in a way that this issue does not happen and only fields pass to client that specified in "join_fields" section.
Yes I sure @perak ,
You can check yourself invoices example to see the issue.
I got this screen shot for you:
@cyclops24 I didn't have enough time to check this issue yet, I'll do it soon...
Hi @perak I think it's an important bug in join package. Do you have any idea to fix this?