Skip to content

D1 changelog read permission fix #19742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 5, 2025
Merged

D1 changelog read permission fix #19742

merged 4 commits into from
Feb 5, 2025

Conversation

@vy-ton
Copy link
Contributor

@vy-ton vy-ton commented Feb 4, 2025
edited
Loading

No description provided.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 4, 2025
edited
Loading

Deploying cloudflare-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: a964dd9
Status: ✅  Deploy successful!
Preview URL: https://0c90cb88.cloudflare-docs-7ou.pages.dev
Branch Preview URL: https://d1-permissions.cloudflare-docs-7ou.pages.dev

View logs

vy-ton
vy-ton commented Feb 4, 2025
View reviewed changes
src/content/changelogs/d1.yaml Outdated
- publish_date: "2025-02-04"
title: Fixed bug with D1 read-only access via UI and /query REST API.
description: |-
A bug with D1 permissions, which allowed users with read-only roles via the UI and users with read-only API tokens via the `/query` [REST API](/api/resources/d1/subresources/database/methods/query/) to execute queries that modified databases, is fixed. UI actions via the `Tables` tab, such as creating and deleting tables, were incorrectly allowed with read-only access. However, UI actions via the `Console` tab were not affected by this bug and correctly required write access.
Copy link
Contributor Author

@vy-ton vy-ton Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rozenmd Does wrangler use the CF role? If yes, would wrangler have been impacted by this bug

Copy link
Contributor

@joshthoward joshthoward Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrangler would have also been impacted here since they have user scoped tokens.

Copy link
Contributor Author

@vy-ton vy-ton Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wranger user scoped tokens are not the same as API tokens though right?

Copy link
Contributor

@rozenmd rozenmd Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think wrangler explicitly asks for everything in edit mode, so not an issue

@vy-ton vy-ton marked this pull request as ready for review February 4, 2025 21:32
@vy-ton vy-ton requested review from a team, Oxyjun and elithrar as code owners February 4, 2025 21:32
Oxyjun
Oxyjun reviewed Feb 5, 2025
View reviewed changes
@vy-ton vy-ton merged commit 4788587 into production Feb 5, 2025
11 checks passed
@vy-ton vy-ton deleted the d1-permissions branch February 5, 2025 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rozenmd rozenmd rozenmd left review comments

@joshthoward joshthoward joshthoward left review comments

@Oxyjun Oxyjun Oxyjun approved these changes

@elithrar elithrar Awaiting requested review from elithrar

Assignees

@elithrar elithrar

@Oxyjun Oxyjun

Labels

size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vy-ton @rozenmd @joshthoward @Oxyjun @elithrar