Skip to content

Entities can be retrieved via GRPC despite insufficient permissions

Summary

An Entity that shouldn't be retrievable can be retrieved fully even without logging in using the WebGRPC client with caosdb-webui-entity-service.

Expected Behavior

An error should be returned by the server (and only this error), entity and its properties have to remain hidden.

Actual Behavior

While REST behaves correctly:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="http://localhost:8082/webinterface/1646922588/webcaosdb.xsl" ?>
<Response srid="3b8eab35-6af5-4fa9-82a0-d58676510534" timestamp="1646934839948" baseuri="http://localhost:8082" count="1">
  <noscript>
    <h1>Please enable JavaScript!</h1>
  </noscript>
  <UserInfo>
    <Roles>
      <Role>anonymous</Role>
    </Roles>
  </UserInfo>
  <Record id="102">
    <Error code="403" description="You are not allowed to do this." />
    <Info code="0" description="anonymous doesn't have permission retrieve:entity" />
  </Record>
</Response>

GRPC does not (output of response.toObject()):

{
  "responsesList": [
    {
      "retrieveResponse": {
        "entityResponse": {
          "entity": {
            "id": "102",
            "name": "Test Article",
            "description": "important",
            "role": 2,
            "unit": "",
            "propertiesList": [
              {
                "id": "100",
                "name": "ArticleContents",
                "description": "Markdown text of the article",
                "value": {
                  "scalarValue": {
                    "integerValue": 0,
                    "doubleValue": 0,
                    "booleanValue": false,
                    "stringValue": "Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod\ntempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At\nvero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren,\nno sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit\namet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut\nlabore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam\net justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata\nsanctus est Lorem ipsum dolor sit amet.\n\n## Lorem Ipsum\n\nFusce in faucibus orci. Aenean nec elementum lorem, id ornare odio. Sed\nvenenatis urna nec dui malesuada volutpat. Curabitur enim nisi, feugiat at\ntincidunt a, sollicitudin quis velit. Praesent quis nisi sit amet erat hendrerit\nlacinia. Phasellus lorem sapien, vulputate sed nisi id, egestas vehicula\nlectus. Morbi rutrum sed sapien feugiat efficitur. Maecenas euismod nibh velit,\nquis semper eros maximus ut.\n\nNam vel cursus purus, eu vehicula lectus. Maecenas eleifend lacus feugiat velit\nporta tempor. Morbi maximus sapien velit. Maecenas sed ante ac turpis iaculis\nlaoreet. Proin et vehicula orci. Nullam varius ex eget pharetra gravida. Aenean\neget luctus odio, in luctus ex. Nam lectus nibh, suscipit nec mi eu, auctor\nconvallis tortor. Cras fermentum mattis ipsum. Curabitur non cursus metus.\n\nPellentesque habitant morbi tristique senectus et netus et malesuada fames ac\nturpis egestas. Sed varius ligula vel ultricies dictum. Vivamus at tortor in mi\ntincidunt lobortis nec vitae lectus. Donec hendrerit risus magna, non tincidunt\nleo finibus quis. Donec ac metus ac tortor auctor consequat. Maecenas eu urna id\nenim faucibus feugiat sit amet vel enim. Suspendisse sodales odio vulputate,\npellentesque ligula in, auctor tellus. Etiam bibendum ex ac leo pretium\ntempor. Nulla sit amet sodales neque. Nunc ac vulputate velit.",
                    "specialValue": 0
                  }
                },
                "importance": 4,
                "unit": "",
                "dataType": {
                  "atomicDataType": 1
                },
                "errorsList": [],
                "warningsList": [],
                "infosList": []
              }
            ],
            "parentsList": [
              {
                "id": "101",
                "name": "Article",
                "description": "Base RecordType of Wiki Articles",
                "errorsList": [],
                "warningsList": [],
                "infosList": []
              }
            ]
          },
          "errorsList": [
            {
              "code": 35,
              "description": "You are not allowed to do this."
            }
          ],
          "warningsList": [],
          "infosList": [
            {
              "code": 1,
              "description": "anonymous doesn't have permission retrieve:entity"
            }
          ]
        },
        "countResult": 0
      }
    }
  ],
  "transactionErrorsList": [],
  "transactionWarningsList": [],
  "transactionInfosList": []
}

Steps to Reproduce the Problem

E.g. use the CaosDB-Wiki setup with auth_optional: TRUE and access the same entity via classical WebUI and via the Wiki without logging in. With auth_optional: FALSE this bug does not occur.

Specifications

  • Version: caosdb-server in current dev branch (commit 4d909fef)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information