Loopback: ACL to protect related model from anyone besides owner?
I'm looking for a way to secure a related model. But I think I found a loopholes.
GET /pushIDs // ACL is deny for all, but everyone can create new records
GET /users/{id}/pushIDs // ACL is $owner can CRUD
In Explorer, it looks fine. I cannot access other's pushIDs from the above APIs, even I know the id of pushIDs records. However, I can get the pushIDs with this:
GET /users/{id}?filter={"include": "pushIDs"}
Is that a leak?
johncpang
All 4 comments
discussed here: https://github.com/strongloop/loopback/issues/960#issuecomment-322131095
johncpang
on 14 Aug 2017
Answered in other topic.
This is not a bug, but a configuration issue.
As per documentation in Accessing related models this is by design and you should take additional measures to secure you models and relations.
Specifically:
_When accessing a related model, the active ACL is still the one for the model you are calling. So even if your model has DENY ALL permissions set, if the model relating to it has no ACL, then all the relation endpoints will be open. This can be a security risk because, for example, GET /OpenModel/{id}/ACLSecuredModel will allow full access to ACLSecuredModel through the OpenModel relations._
proreact-mj
on 15 Aug 2017
@proreact-mj Thank you for your help with triage!
@johncpang If you still have concerns or disagree, feel free to reply to this issue with details.
kjdelisle
on 15 Aug 2017
I've extended User model to create Client model and set up relation to a "MyModel". I've asked a question at Stackoverflow. The issue I'm facing is, unauthorized users can access /Client/:id/myModels while the route /Client/:id/myModels/Count is unaccessible. I want the route /Client/:id/myModels to be unaccessible to the unauthorized users as well.
20B2
on 25 May 2018
Related issues
nmklong
路
3Comments
daankets
路
4Comments
imasif
路
3Comments
cajoy
路
4Comments
AnupDeshpande23
路
4Comments