Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
Users end up creating permissions like
{ "collection":null, "name": "update", "role": "some-role" }
They expect this to secure the update operations. This does not work and does not protect any operation
The security API should throw an error when such a permission is created . For the well-known permissions, we already know the value of collection .
- if collection:null is specified for a per-collection permission, that should be ignored
- for permissions where collection is not required , such as collection-admin-edit , security-edit , value of collection is null anyway , no other value should be allowed to be specified