Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not expose information via relationfield serializer #1634

Open
maethu opened this issue May 1, 2023 · 2 comments · May be fixed by #1635
Open

Do not expose information via relationfield serializer #1634

maethu opened this issue May 1, 2023 · 2 comments · May be fixed by #1635

Comments

@maethu
Copy link

maethu commented May 1, 2023

Description
The relationfield serializer should respect the View permission.

Problem
Some metadata like, Title and Description can be exposed thru the relationsfield serializer

Reproduce

  1. Create 3 pages
  2. Refer to page 2 and 3 from page 1 via relatedItems
  3. Remove View permission for page 2, or page 3 (You can simply publish page 1 and for example page 2 and keep page 3 private)

Result: bot page 2 and page 3 are serialized in relatedItems

...
    "relatedItems": [
        {
            "@id": "http://localhost:8080/Plone/page-2",
            "@type": "Document",
            "UID": "4f0b980e8a144a55b9244b8b942e93d2",
            "description": "",
            "image_field": null,
            "image_scales": null,
            "review_state": "published",
            "title": "Page 2"
        },
        {
            "@id": "http://localhost:8080/Plone/page-3",
            "@type": "Document",
            "UID": "bec10b954049433088df076e6eb0208d",
            "description": "",
            "image_field": null,
            "image_scales": null,
            "review_state": "private",
            "title": "Page 3"
        }
    ],
...

Expected result
Only list accessible relatedItems and do not expose any metadata information

...
    "relatedItems": [
        {
            "@id": "http://localhost:8080/Plone/page-2",
            "@type": "Document",
            "UID": "4f0b980e8a144a55b9244b8b942e93d2",
            "description": "",
            "image_field": null,
            "image_scales": null,
            "review_state": "published",
            "title": "Page 2"
        }
    ],
...
@maethu maethu linked a pull request May 1, 2023 that will close this issue
Open
@davisagli
Copy link
Member

@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.

Does the Anonymous role still have the Access contents information permission in your example above? If so, I think this is working as designed.

@maethu
Copy link
Author

maethu commented May 3, 2023
edited
Loading

@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.

Does the Anonymous role still have the Access contents information permission in your example above? If so, I think this is working as designed.

Ohh ooops my bad... Should have known this. But I it still exposes information even without this permission. --> #1635 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not expose private metadata via relationfield serializer. plone/plone.restapi
2 participants
@davisagli @maethu