MerginMaps/server

Security issue: projects are visible without permissions

envirosolutionspl opened this issue · 4 comments

Users have granted permissions on read and write for specific projects but all users can see and download all project from server.
In following case user with id 7 can download all data from server including photos.
Screen from public.project_access
image
version 2023.3.0

Is this Mergin Maps CE?

Hi @envirosolutionspl,

can you please check if you are using one of these env variable: GLOBAL_ADMIN, GLOBAL_WRITE or GLOBAL_READ?
https://merginmaps.com/docs/dev/mergince/#data-synchronisation-and-user-management

Hi @envirosolutionspl and @saberraz,
I tested this myself and here are the results:

  • GLOBAL_READ env variable is set to true by default, which makes everyone to see all projects - just read, no edit
    • this might be misleading for people - I will adjust the logic so that by default nobody see others projects, unless explicitly shared or set via GLOBAL_X variable.