Security consideration: automatically set overrideAccess to false when a user is passed to local api #15497
tylkomat
started this conversation in
Feature Requests & Ideas
Security consideration: automatically set overrideAccess to false when a user is passed to local api
#15497
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
According to the documentation setting a user allows setting
overrideAccessto false. I don't see a use case where a user would be set, butoverrideAccessis kept to true. In my case I forgot to set it to false and my access control was bypassed, as expected, but not as intended. In my multi tenant application data was basically visible to all tenants because of that.I would even argue to make
overrideAccess: false by default. It is easier to spot when something does not work, compared to if "too much" is working. This would be a breaking change, which could be mitigated by an update script which updates all usages.From a security point of view it is better to start with most security and leave it to the user to actively reduce security, compared to leave it to the user to harden security.
Beta Was this translation helpful? Give feedback.
All reactions