Comments (5)
Got it! I missed that detail when reading the issue.
I understand you approach. You are relying on the permissions clause for SELECT
only allowing the user to query their own record in order to retrieve only their user with ONLY
and LIMIT 1
in the function.
Unfortunately, the current behavior in SurrealDB (#2161) leads to permissions clauses being able to read any data, causing your statement to simply return the first user record instead of the record belonging to the authenticated user. We are discussing this behavior as well as some related bugs in the context of a security issue in GHSA-9722-9j67-vjcr
, and a fix that may change this behavior is currently being developed by the team responsible.
Thank you again for reporting this, I will keep this issue open and update it when this is resolved.
For the time being, a potential alternative could be to use another unique user identifier already present on the token (e.g. email
) to use internally as either a custom record identifier for user
or just as a normal field of the user
record that is also present in post
and like
in order to allow the relation.
For future reference, here is a simplified scenario that reproduces this issue:
USE NS test DB test;
DEFINE TABLE user PERMISSIONS FOR SELECT WHERE name = $auth.name;
DEFINE TABLE post PERMISSIONS FOR SELECT WHERE user = (SELECT id FROM ONLY user LIMIT 1).id;
CREATE user:a CONTENT {"name": "a"};
CREATE user:b CONTENT {"name": "b"};
CREATE post:a CONTENT {"user": user:a};
CREATE post:b CONTENT {"user": user:b};
DEFINE SCOPE user
SESSION 1d
SIGNIN (SELECT * FROM user WHERE name = $name)
SIGNUP (CREATE user CONTENT {"name": $name})
;
Then, I sign in as user:a
and run the following:
SELECT * FROM post;
[
{
id: post:a,
user: user:a
}
]
I get the correct post for that user, great!
Then, I sign in as user:b
and run the following:
SELECT * FROM post;
[
{
id: post:a,
user: user:a
}
]
I get the same post. It seems that the SELECT id FROM ONLY user LIMIT 1
statement is always returning the first user.
To test this hypothesis, we create a new user with a numeric identifier and their own post from a root session:
CREATE user:1 CONTENT {"name": 1};
[[{ id: user:1, name: 1 }]]
CREATE post:1 CONTENT {"user": user:1};
[[{ id: post:1, user: user:1 }]]
If our hypothesis is correct, selecting posts as any scope user should now return the post of user:1
.
We sign in again as user:a
and run the following:
SELECT * FROM post;
[
{
id: post:1,
user: user:1
}
]
We sign in again as user:b
and run the following:
SELECT * FROM post;
[
{
id: post:1,
user: user:1
}
]
It seems that our hypothesis is correct. The permissions clause has access to all users and will always return the first one.
from surrealdb.
Hi @ReziaBanks! Thank you for taking the time to write a detailed report for this issue you are experiencing. I will try to reproduce your scenario whenever I have a moment. For the time being, may I ask why not use FOR CREATE, DELETE WHERE $scope = 'user' AND in = $auth.id
? Using $auth.id
is the default way of accessing the record identifier of the authenticated user. Is there a particular reason why you prefer to rely on a custom function for that?
from surrealdb.
I'm using Auth0 as my Authentication Provider, therefore the $auth
variable returns NONE
. Snippet from the Auth0 implementation tutorial.
It is also important to note that the $auth variable accessible from SurrealQL will not contain any values in this case, as it requires the id claim to be added to the JWT, containing the value of the identifier of a SurrealDB record. For the current example, the $auth variable will not be necessary.
from surrealdb.
Thanks for the breakdown, adding a WHERE clause to the CURRENT USER function solved the issue.
I think it would be helpful to add context (doesn't use scope permission in a scoped connection) on PERMISSIONS in the documentation.
from surrealdb.
I agree that this behavior should be documented. Since we are currently in the process of redefining exactly how we want PERMISSIONS
clauses to behave, I will make sure that the outcome is documented whenever a decision is made 👍
Thank you again for opening this issue!
from surrealdb.
Related Issues (20)
- Bug: TIMEOUT not respected inside RETURN statement
- Bug: Rust fails to build surrealdb HOT 15
- Bug: Parser interpretes string id with starting with number followed by 'e' as exponenets HOT 2
- Bug: COMPOSITE INDEX does not work
- Bug: 'Unsupported value' in no-index WHERE condition, causes INDEX to not be used HOT 1
- Bug: The alphabetical order of the properties of an object-based Record ID is query-significant HOT 1
- Bug: HTTP CREATE not working when using TOKEN auth HOT 10
- Bug: Can't define a schema with flexible object keys HOT 4
- Bug: database fails and stop on attempt to delete namespace HOT 1
- Bug: the parse::url::port() does not work on https url HOT 3
- Bug: Parse error when using RELATE query from docs
- Feature: NN Vector search and similarity masking (partial vector search)
- Bug: Floats treated as integers and duplicate records not checked when floats used as record id
- Bug: Http endpoint empty response HOT 3
- Bug: Strand does not check for nul bytes in release mode
- Bug: New parser does not work with backticks HOT 3
- Bug: CLI handling of version check not working HOT 1
- Bug: "No Iterator has been found" when mixing indexes
- Bug: REPL exits immediately HOT 2
- Bug: graph queries do not work as documented HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from surrealdb.