strapi
strapi copied to clipboard
strapi
RBAC permissions resets on required fields when restarting Strapi
Bug report
Required System information
- Node.js version: 18.16.0
- NPM version: 9.6.7
- Strapi version: 4.10.5, 4.10.6, 4.10.7
- Database: Postgres
- Operating system: Windows
- Is your project Javascript or Typescript: Typescript
Describe the bug
RBAC permissions resets on required fields when restarting Strapi
Steps to reproduce the behavior
- Create a require field
- Remove all the RBAC permissions (Create, Read, Update) for that field in a Role
- Save it
- It will work fine
- Restart Strapi and now every RBAC permissions is resets for Create, Read, Update, and the Users in the Role can access the field again.
Expected behavior
Even if its a required field RBAC permissions shouldn't reset to it default (allow) on that field. This is unexpected and cause security issues, because you believe the Role can't access or change that field.
Would it please be possible to fix this major security issue? It is not possible to implement even basic scenarios with RBAC.
I'm seeing the same issue for custom controllers. Is there any fix on the way?
More information: It doesn't reset if you leave at least of the permissions (Create, Read, Update). And then it does only restore the one previously set permissions (I could reliably test it with only setting and removing the red permission)
Hi, has there been any updates on this? It seems like a major issue for permissions to be changing on their own. And we are getting complaints from users every time it resets.
If it's possible, it'd be great to get some feedback as to why this has been on hold for so long. We're closing in on a year since the problem was first reported.
This issue has been mentioned on Strapi Community Forum. There might be relevant details there:
https://forum.strapi.io/t/inconsistent-fields-in-beforeupdate/40760/1
