Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Join field violating access control of other collection #9865

Closed
RickGeersing opened this issue Dec 10, 2024 · 2 comments · Fixed by #9930
Closed

Join field violating access control of other collection #9865

RickGeersing opened this issue Dec 10, 2024 · 2 comments · Fixed by #9930
Assignees
@DanRibbens

Comments

@RickGeersing
Copy link

Describe the Bug

I have a joint field to my customers collection from my user collection. This customer is bound to an user that has a normal user role. When requesting the customers, he should only retrieve his own bound customer. Not the customers bound to other users. Customers also have an account manager. This is a user with the admin role. On the user collection for admins there is a joint field to all customers which it manages.

Normal users can view who their account manager is, but when you open the account manager with a normal user you can view all customers, instead of just one, yourself. This violates the access controls set on the customer. Since I can view names and emails of other customers with a normal account. I only get an unauthorized error when clicking on one of the edit buttons.

Link to the code that reproduces this issue

https://github.com/RickGeersing/payload-join-access-violation

Reproduction Steps

  1. Download the linked repository
  2. Install all packages
  3. Run the seed script, pnpm db:seed
  4. Run pnpm dev
  5. Log in in the backend with user1: email: user1@test.nl and password: user
  6. Take a look at the customers collection, notice that there is 1 item
  7. Navigate to the account manager, under managed customers you'll see 2 customers instead of one. And you'll see name and email of other customer

Which area(s) are affected? (Select all that apply)

area: core

Environment Info

Binaries:
  Node: 23.1.0
  npm: 10.9.0
  Yarn: 1.22.19
  pnpm: 9.14.4
Relevant Packages:
  payload: 3.5.0
  next: 15.0.4
  @payloadcms/db-mongodb: 3.5.0
  @payloadcms/email-nodemailer: 3.5.0
  @payloadcms/graphql: 3.5.0
  @payloadcms/next/utilities: 3.5.0
  @payloadcms/payload-cloud: 3.5.0
  @payloadcms/richtext-lexical: 3.5.0
  @payloadcms/translations: 3.5.0
  @payloadcms/ui/shared: 3.5.0
  react: 19.0.0
  react-dom: 19.0.0
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.1.0: Thu Oct 10 21:03:15 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6000
  Available memory (MB): 16384
  Available CPU cores: 10
@RickGeersing RickGeersing added status: needs-triage Possible bug which hasn't been reproduced yet validate-reproduction labels Dec 10, 2024
@DanRibbens DanRibbens self-assigned this Dec 12, 2024
@github-actions github-actions bot removed the status: needs-triage Possible bug which hasn't been reproduced yet label Dec 12, 2024
@DanRibbens DanRibbens mentioned this issue Dec 12, 2024
Merged
@DanRibbens DanRibbens linked a pull request Dec 12, 2024 that will close this issue
fix: join collection read access #9930
Merged
DanRibbens added a commit that referenced this issue Dec 12, 2024
@DanRibbens
fix: join collection read access (#9930)
5af71fb 
Respect read access control through the join field collections for GraphQL and admin UI

fixes #9922 and #9865
@github-actions GitHub Actions
Copy link
Contributor

🚀 This is included in version v3.7.0

@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DanRibbens DanRibbens

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: join collection read access payloadcms/payload
2 participants
@DanRibbens @RickGeersing