Skip to content
This repository has been archived by the owner on Dec 22, 2023. It is now read-only.

No public access reference record could be transient included #496

Closed
1 of 2 tasks
wallacesky opened this issue Nov 23, 2017 · 1 comment
Closed
1 of 2 tasks

No public access reference record could be transient included #496

wallacesky opened this issue Nov 23, 2017 · 1 comment
Assignees
@carmenlau
Labels
type/bug

Comments

@wallacesky
Copy link

TableFoo has a public access record with foreign field reference to table Bar
If another user query this Foo record and transient include the Bar reference record, Bar record can be queryable along with Foo record even though Bar record has no public access

  • Skygear Server Date/Version: 1.1.3
  • Application Platform: iOS, javascript
  • Is this a regression?
  • Attached logs, screenshots

Expected Results

No public access reference record should not be transient included and expose to no privilege users.

Actual Results

No public access reference record could be transient included

Steps to reproduce

Sample code of testing transient no public access record

<!--Skygear CDN-->
<script src="https://code.skygear.io/js/polyfill/latest/polyfill.min.js"></script>
<script src="https://code.skygear.io/js/skygear/latest/skygear.min.js"></script>

<!--Skygear configuration-->
<!--The app end point and the api key can be found in the developer portal-->
<script>
	const Note = skygear.Record.extend('note');
	const Category = skygear.Record.extend('category');

	skygear.config({
	    'endPoint': 'http://localhost:3001/', // trailing slash is required
	    'apiKey': 'changeme',
	}).then(() => {
		console.log('skygear container is now ready for making API calls.');
		return skygear.auth.signupAnonymously();
	}).then(() => {
		console.log('logged in');
		
		const note = new Note({ 'content': 'Hello World' });
		const secretCategory = new Category({ 'type': 'fiction'});
		secretCategory.setPublicNoAccess()
		note.category = new skygear.Reference(secretCategory);

		return skygear.publicDB.save([secretCategory, note]);
	}).then((record) => {
		console.log(record);
		return skygear.auth.logout();
	}).then(() => {
		console.log('logout successfully');

		return skygear.auth.signupAnonymously();
	}).then(() => {
		console.log('tester logged in');

		const query = new skygear.Query(Note);
		query.transientInclude('category');

		return skygear.publicDB.query(query);
	}).then((record) => {
		console.log('query resut', record);
	}, (error) => {
		console.error(error);
	});
</script>
@cheungpat
Copy link
Contributor

@carmenlau may need to fix this issue earlier

@carmenlau carmenlau self-assigned this Nov 28, 2017
@carmenlau carmenlau mentioned this issue Dec 6, 2017
Merged
cheungpat added a commit that referenced this issue Dec 8, 2017
@cheungpat
Record acl for transient fields
6d2305d 
refs #496
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@carmenlau carmenlau

Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cheungpat @carmenlau @wallacesky