Project Secret Key grants the same permissions as the owner of the project.
devleejb opened this issue · 4 comments
What happened:
The Project Secret Key grants the same permissions as the owner of the project. For example, when Admin A owns Project B and uses the Secret Key of that project, they can access other projects owned by Admin A as well. This occurs because accessing a project via the Project Secret Key returns the user who owns the project.
What you expected to happen:
The Project Secret Key should only provide access to the specific project it belongs to and not grant access to other projects owned by the same user.
How to reproduce it (as minimally and precisely as possible):
The issue can be reproduced by using the Project Secret Key to access a project and observing that it inadvertently provides access to other projects owned by the same user.
Anything else we need to know?:
It is suggested that a solution could involve adding a flag to the User to distinguish between Admin and Project access rights.
claims, err := i.tokenManager.Verify(authorization)
if err == nil {
user, err := users.GetUserByName(ctx, i.backend, claims.Username)
if err == nil {
return user, nil
}
}
project, err := projects.GetProjectFromSecretKey(ctx, i.backend, authorization)
if err == nil {
user, err := users.GetUserByID(ctx, i.backend, project.Owner)
if err == nil {
return user, nil // Need to return Project permissions, not Admin permissions
}
}Environment:
- Operating system: ALL
- Browser and version: ALL
- Yorkie version (use
yorkie version): v0.4.14 - Yorkie JS SDK version: NONE