State is being leaked even though RETRIEVE:ENTITY permission is not granted.
Summary
The entity state is being leaked even though the RETRIEVE:ENTITY is not granted.
Expected Behavior
When the permission RETRIEVE:ENTITY is missing the entity should be returned with only the id present and
the error stating that the retrieval is not permitted. The state of the entity should not be leaked.
Actual Behavior
The returned entity contains the id, the error message and also the state.
Steps to Reproduce the Problem
- Go to demo.indiscale.com/Entity/123 and view the server's xml response. It goes:
<Response srid="161e0faa-ee88-4c84-ae21-8d9487efb3cb" timestamp="1647336170874" baseuri="https://demo.indiscale.com" count="1"> <noscript> <h1>Please enable JavaScript!</h1> </noscript> <UserInfo> <Roles> <Role>anonymous</Role> </Roles> </UserInfo> <Record id="123"> <Error code="403" description="You are not allowed to do this." /> <State color="#5bc0de" model="Publish Life-cycle" name="Unpublished" description="Unpublished entries are only visible to the team and may be edited by any team member." id="221" /> <Info code="0" description="anonymous doesn't have permission retrieve:entity" /> </Record> </Response>```
Specifications
- Version: Server v0.7.1
- Platform: any
Possible fixes
Fix is about to come with the fix for #220 (closed)