Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC permissions resets on required fields when restarting Strapi #16890

Open
erinnovations opened this issue Jun 1, 2023 · 7 comments · May be fixed by #17916
Open

RBAC permissions resets on required fields when restarting Strapi #16890

erinnovations opened this issue Jun 1, 2023 · 7 comments · May be fixed by #17916
Assignees
@derrickmehaffy
Labels
flag: EE Issues correlates to internal EE ticket issue: bug Issue reporting a bug severity: high If it breaks the basic use of the product source: core:admin Source is core/admin package status: confirmed Confirmed by a Strapi Team member or multiple community members

Comments

@erinnovations
Copy link

erinnovations commented Jun 1, 2023
edited

Bug report

Required System information

  • Node.js version: 18.16.0
  • NPM version: 9.6.7
  • Strapi version: 4.10.5, 4.10.6, 4.10.7
  • Database: Postgres
  • Operating system: Windows
  • Is your project Javascript or Typescript: Typescript

Describe the bug

RBAC permissions resets on required fields when restarting Strapi

Steps to reproduce the behavior

  1. Create a require field
  2. Remove all the RBAC permissions (Create, Read, Update) for that field in a Role
  3. Save it
  4. It will work fine
  5. Restart Strapi and now every RBAC permissions is resets for Create, Read, Update, and the Users in the Role can access the field again.

Expected behavior

Even if its a required field RBAC permissions shouldn't reset to it default (allow) on that field. This is unexpected and cause security issues, because you believe the Role can't access or change that field.
@derrickmehaffy derrickmehaffy added issue: bug Issue reporting a bug severity: medium If it breaks the basic use of the product but can be worked around source: core:admin Source is core/admin package status: pending reproduction Waiting for free time to reproduce the issue, or more information labels Jun 5, 2023
@jhoward1994 jhoward1994 added status: confirmed Confirmed by a Strapi Team member or multiple community members and removed status: pending reproduction Waiting for free time to reproduce the issue, or more information labels Jul 12, 2023
@Marc-Roig Marc-Roig linked a pull request Sep 4, 2023 that will close this issue
Draft
@huy-lv
Copy link

huy-lv commented Nov 6, 2023

hey, what is the current status of this issue

@vimanvh
Copy link

vimanvh commented Feb 7, 2024

Would it please be possible to fix this major security issue? It is not possible to implement even basic scenarios with RBAC.

@pcriadoperez
Copy link

I'm seeing the same issue for custom controllers. Is there any fix on the way?

@derrickmehaffy derrickmehaffy mentioned this issue Apr 9, 2024
Closed
@boazpoolman boazpoolman mentioned this issue Apr 10, 2024
Closed
@DenuxPlays
Copy link

DenuxPlays commented Apr 11, 2024
edited

More information:
It doesn't reset if you leave at least of the permissions (Create, Read, Update).
And then it does only restore the one previously set permissions (I could reliably test it with only setting and removing the red permission)

@pcriadoperez
Copy link

Hi, has there been any updates on this? It seems like a major issue for permissions to be changing on their own. And we are getting complaints from users every time it resets.

@edporras
Copy link

If it's possible, it'd be great to get some feedback as to why this has been on hold for so long. We're closing in on a year since the problem was first reported.

@derrickmehaffy derrickmehaffy added severity: high If it breaks the basic use of the product flag: EE Issues correlates to internal EE ticket and removed severity: medium If it breaks the basic use of the product but can be worked around labels Apr 18, 2024
@derrickmehaffy
Copy link
Member

Related to TID6550, escalated to high

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derrickmehaffy derrickmehaffy

Labels
flag: EE Issues correlates to internal EE ticket issue: bug Issue reporting a bug severity: high If it breaks the basic use of the product source: core:admin Source is core/admin package status: confirmed Confirmed by a Strapi Team member or multiple community members
Projects
Content Platform Squad
Status: Reviewed
Content Squad
Status: To be reviewed
Support team
Status: Reproducible on v4
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: do not automatically grant permissions for required fields strapi/strapi
8 participants
@erinnovations @edporras @huy-lv @derrickmehaffy @pcriadoperez @vimanvh @jhoward1994 @DenuxPlays