[Security] Read permission not enforced!


#1

I’ve created a user and tried to give him read permissions on User type, but when I test I see that he can see only himself! Following is what I’m doing:

// create a group
var group = AdminGroup.create({id: 'testGroup', name: 'testGroup'});

// create a user
var user = UserAdmin.createUser('user@acme.inc', 'firstname', 'lastname', 'username');
UserAdmin.setPassword('username', 'paSsw0rd');

// create a role
var role = Role.make({id: 'roleId', name: 'roleName'});
role = role.addPermission(Permission.fromString('allow:User:read:'));
role.merge();

// create relationships
user = AdminGroup.addUser(group.id, user.id);
role = AdminGroup.addRole(group.id, role.id);

Then I test with POST requests:

curl -u username:paSsw0rd -H "Content-Type: application/json" -H "accept: application/json" -X POST --data "{'spec' : {'limit': -1}}" http://localhost:3000/api/1/mytenant/mytag/User\?action\=fetch
{
  "objs" : [ {
    "firstname" : "firstname",
    "lastname" : "lastname",
    "groups" : [ {
      "id" : "mytestgroup2"
    } ],
    "meta" : {
      "tenantTagId" : 4,
      "tenant" : "mytenant",
      "tag" : "mytag",
      "created" : "2017-12-19T21:18:16Z",
      "createdBy" : "BA",
      "updated" : "2017-12-19T21:19:08Z",
      "updatedBy" : "authorizer",
      "timestamp" : "2017-12-19T21:19:08Z"
    },
    "id" : "username",
    "version" : 5,
    "name" : "username",
    "user" : "username",
    "typeIdent" : "MBR:USER",
    "email" : "user@acme.inc",
    "familyName" : "lastname",
    "givenName" : "firstname",
    "pwDigest" : "bc770f38283ae023b1feef3e68003ee44e730fb163951109a4ed33adeebff2d0",
    "salt" : "53e11a2b-d3c6-4cb1-99ed-1ac29e59609f",
    "lastLoginAt" : "2017-12-19T21:19:09Z",
    "c3AuthSalt" : "2c885d42a5a735dd"
  } ],
  "count" : 1,
  "hasMore" : false
}

I wonder if I’m missing something?


#2

Read permission are actually enforced. The issue is that by default, a user can only see its own User object. You need to add an actionCondition to your Role if you want to be able to fetch all Users. There is no method in Role to add actionConditions, so you will need to do something like like:

Role.upsert({
  "id" : "TestRole",
  "name" : "TestRole",
  "permissions" : ["allow:User:read:"],
  "actionConditions" : ["User:read::(1==1)"]
})

You can refer to the ‘In Depth - Access Control’ article in the c3doc for more info.


#3

Is there a way to know for sure that for a given type an actionCondition is needed?


#4

You can check the action conditions defined for a specific action using Authorizer.actionPermissions() (also documented in the ‘In depth - Access Control’ and through c3ShowType(Authorizer).
It tells you which Permissions and ActionConditions are applied to the given action through the Roles defined.