Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC not working for plugins #20195

Open
simosalsi opened this issue Apr 24, 2024 · 0 comments
Open

RBAC not working for plugins #20195

simosalsi opened this issue Apr 24, 2024 · 0 comments
Assignees
@n-alonso
Labels
issue: bug Issue reporting a bug severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve source: core:permissions status: pending reproduction Waiting for free time to reproduce the issue, or more information

Comments

@simosalsi
Copy link

Bug report

Required System information

  • Node.js version: 18.17.1
  • NPM version: 9.6.7
  • Strapi version: 4.23.1
  • Database: Postres
  • Operating system: Win10
  • Is your project Javascript or Typescript: TS

Describe the bug

RBAC doesn't work for any plugin, while still working for Collection Types.

Steps to reproduce the behavior

Link to repo that exhibits the issue.

  1. Create 2 admin roles.
  2. Give each role "Has same role of creator" and/or "Is creator" permission for any plugin's action (linked repo tested the Update action of the included Upload plugin)
  3. Create a user for each role (User A / User B).
  4. Log in as User A and upload any media.
  5. Log in as User B and try to update said media.
  6. You will be able to update said media, witnessing the issue.

Expected behavior

Users other than User A (or anyone with the same role) should not be able to update or delete media uploaded by User A.

Screenshots

Permission settings.
Screenshot 2024-04-24 131258

User B able to update/delete user A's media.
Screenshot 2024-04-24 131528
@joshuaellis joshuaellis added issue: bug Issue reporting a bug severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve status: pending reproduction Waiting for free time to reproduce the issue, or more information source: core:permissions labels May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n-alonso n-alonso

Labels
issue: bug Issue reporting a bug severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve source: core:permissions status: pending reproduction Waiting for free time to reproduce the issue, or more information
Projects
Content Squad
Status: To be reviewed
Support team
Status: To review
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuaellis @simosalsi @n-alonso