From fa687d478b4cb344056d464fad47bf6cee695297 Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Thu, 30 Mar 2023 15:06:13 +0200
Subject: [PATCH] DOC: update CHANGELOG

---
 CHANGELOG.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8b974ae..0ff65f2b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,8 +32,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed ###
 
+* Denying a role permission has no effect
+  [#196](https://gitlab.com/caosdb/caosdb-server/-/issues/196). See security
+  notes below.
+
 ### Security ###
 
+* Fixed [#196](https://gitlab.com/caosdb/caosdb-server/-/issues/196). This was
+  an error in the authorization procedure which allowed unprivileged users
+  execute insert, update or delete transactions on entities. However, the
+  unprivileged users would also need the correct entity permissions to do that.
+
+  Without backup, this means possible data loss. Also there is the possibility
+  to spam the database by creating unwanted entities.
+
 ### Documentation ###
 
 - Nested queries.
-- 
GitLab