3***@qq.com
3***@qq.com
  • 发布:2020-11-13 14:07
  • 更新:2020-11-13 22:29
  • 阅读:1299

【报BUG】阿里云云数据库DB Schema权限配置无效,请官方重视

分类:uniCloud

云数据库中配置DB Schema如下

{  
  "bsonType": "object",  
  "required": [  
    "title"  
  ],  
  "permission": {  
    "read": true,  
    "create": true,  
    "update": "doc.uid == auth.uid",  
    "delete": "doc.uid == auth.uid"  
  },  
  "properties": {  
    "_id": {  
      "description": "ID,系统自动生成"  
    },  
    "uid": {  
      "forceDefaultValue": {  
        "$env": "uid"  
      },  
      "foreignKey": "uni-id-users._id",  
      "permission": {  
        "read": true,  
        "create": false,  
        "update": false,  
        "delete": false  
      },  
      "description": "用户ID"  
    },  
    "updated_at": {  
      "forceDefaultValue": {  
        "$env": "now"  
      },  
      "description": "数据更新时间"  
    },  
    "ip_address": {  
      "permission": {  
        "read": false,  
        "write": false  
      },  
      "forceDefaultValue": {  
        "$env": "clientIP"  
      },  
      "description": "数据更新时间"  
    },  
    "created_at": {  
      "bsonType": "int",  
      "permission": {  
        "read": true,  
        "create": false,  
        "update": false,  
        "delete": false  
      },  
      "forceDefaultValue": {  
        "$env": "now"  
      },  
      "description": "数据发布时间"  
    },  
    "title": {  
      "bsonType": "string",  
      "description": "标题"  
    }  
  }  
}

在前端使用clientDB查询数据,其中ip_address字段的值正常返回,并没有因为在权限中设置了read:false而不返回
这是严重的安全问题,望官方尽快修解决



顶起

0 关注 分享

要回复文章请先登录注册

3***@qq.com

3***@qq.com (作者)

回复 DCloud_uniCloud_WYQ :
好的,我试试
2020-11-13 22:29
DCloud_uniCloud_WYQ

DCloud_uniCloud_WYQ

回复 3***@qq.com :
此问题已修复,保存一下schema触发一下clientDB更新即可生效
2020-11-13 16:49
DCloud_uniCloud_WYQ

DCloud_uniCloud_WYQ

回复 3***@qq.com :
收到,我排查一下
2020-11-13 15:40
3***@qq.com

3***@qq.com (作者)

回复 DCloud_uniCloud_WYQ :
不是,就是普通用户
2020-11-13 15:09
DCloud_uniCloud_WYQ

DCloud_uniCloud_WYQ

你用什么用户身份查询的数据库?是admin吗?
2020-11-13 14:55