surrealdb icon indicating copy to clipboard operation
surrealdb copied to clipboard

Published 20 hours ago verified publisher icon surrealdb

Bug: Inconsistent returned data when using scopes

Open netcodedev opened this issue 9 months ago • 0 comments

Describe the bug

When using root authentication, Statements like CREATE return the data that was modified. This is different when using scoped authentication, even when the SELECT permissions of the table are set to FULL. Are there any reasons for this inconsistency? I acknowledge that there might be a security risk because data could be leaked. But if the permissions allow SELECTing the data, it could also be returned by CREATE or UPDATE. At least the fields, that are allowed by the permissions

Steps to reproduce

  • connect to a surrealdb instance using root authentication
  • create an entry into any table
  • do the same thing but connect using scope authentication

Expected behaviour

When using scope authentication the query should return the created / updated record according to the set permissions

SurrealDB version

1.4.2 for linux on x86_64

Contact Details

[email protected]

Is there an existing issue for this?

  • [X] I have searched the existing issues

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

netcodedev avatar Apr 30 '24 14:04 netcodedev