I posted this in the slack channel and was asked to post it here.
We are noticing some oddity while loading relations in the last day. It has to do with permissions. It looks like the ownership permissions override role permissions for everything was have tested except loading relations. In this case, the roles permissions override the owner permission.
Hi Luke,
Thank you for reporting this issue. Unfortunately things like this happen despite how hard we try to prevent it. The team is working on an urgent patch. We will either apply the patch or rollback the deployment depending on which one will be done faster. Either way it will go back to the working condition by tomorrow morning. I apologize for the inconveniences this might have caused you.
Regards,
Mark
Hello @Luke_Jasudavicius
could you please describe the steps to reproduce the issue in the following way:
curl https://api.backendless.com/<app-id>/<api-key>/data/<table-name>?loadRelations=...
Result:
describe result
Expected result:
what you expect to get
The steps will speed up the research
Hello @sergey.kuk,
We’ve been able to reproduce this bug in the following way: (app ID: 36E4262F-E672-1A40-FFCF-B3523EB51200 )
let result = await Backendless.Data.of('TestItem').find();
console.log(result);
let query = Backendless.DataQueryBuilder.create().setRelated('items');
result = await Backendless.Data.of('TestSet').findFirst(query);
console.log(result);
Result:
First api call prints the expected result; an array with the three owned items
Second api call prints the object, with no “items” field at all
Expected result:
Second api call should print the object with the items field containing an array of the owned objects. We have only been able to get this to work by granting the “Load Relations” permissions on the relevant user roles. User role permissions for Load Relations unexpectedly overrides the object ownership policy.
Hello @Nathan_Cousins
Before Backendless 6.4.6 we do not check permissions when loading realations during the find operation (find, find by id, find first, find last). Now we check it, but we check it without counting object acl and owner policy. The security system is still multi-layered. For any load relations during find operation the system goes through several layers where each can trim the scope of the operations. The layered order of the decision making is consists of the following points of validation:
DENY has a higher priority than GRANT on the same layer.
Also, we have created an internal ticket to account owner policy BKNDLSS-26121. It will be implemented probably in a month. So the layered order of the decision making will probably consists of the following points of validation:
Hey @sergey.kuk ,
Thanks for the info. Glad to see the owner policy will be implemented in the near future.
For now, I suppose it’s safe to assume by allowing relations permissions on user roles won’t pose a security risk as long as the normal object retrieve permissions are denied? That way, a user can retrieve only objects they own, thus can only load relations for those objects. Hopefully that makes sense or I’m not missing something important.
Hello @Nathan_Cousins
I suppose it’s safe
In my opinion yes it will be safe. User object acl with owner policy works for general find and will be loaded only those relations that are tied with the object.
Hi,
Could you advise if that patch on adding owner policy to relations has been applied ?
I am encountering a similar issue : although owner policy is explicitely set to allow load relations, the relations do not load.
Thanks.
Hello @Nicolas_REMY
Sorry, but it is not applied. The fix is pretty complicated, because it may impact performance in general.
Hi @sergey.kuk ,
Sorry, simultaneously with your reply, I cross-posted in Security of owned objects - #3 by Nicolas_REMY.
Thanks for the reply. Does your reply mean that the fix is in the works but taking time, or does that mean that we should not expect it ?
Could you advise as to the best role / owner policy setup in order to restrict access to a minimum ?
→ Indeed, for example when the relation’s target is a user, then at present I need to allow a specific role to access all users instead of those specifically owned by the parent record’s owner.
→ Thus, I am worried that users with that role will be able to access all users instead of a few. Am I wrong ?
→ If so, the same goes for any other type of data. It’s just that user info is so particularly sensitive that it made for a good example.