-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some requests skip Authorization #1363
Comments
some requests skip AuthorizationI am currently using nacos-server-1.0.0 in the test environment. nacos has added the permission authentication. After logging in, access the configuration management-configuration list, select a configuration item for editing and enter the editing page. Then I share the URL of the editing page. My colleague, who can open the page directly without any permission authentication, can even change the configuration item and publish it. All I shared was a URL address, the Authorization in the Request Header was null, but it was able to access and commit the changes. I think this is a very dangerous operation, we have IP restrictions on nacos access. I hope to fix it as soon as possible. |
目前Nacos并没有实现接口级别的鉴权,已经在规划中,可以参考 #1105 |
我目前在测试环境使用nacos-server-1.0.0,nacos已经加入了权限认证,登录之后访问配置管理-配置列表,任意选中一个配置项进行编辑进入编辑页面,然后我把编辑页面的URL分享给我的同事,他可以直接打开页面不需要任何权限认证,甚至可以更改配置项并进行发布。我分享的只是一个URL地址,Request Header中的Authorization为null,但是却能正常访问并提交更改。我认为这是非常危险的操作,我们已经对nacos的访问进行了IP限制。希望能尽快修复。
The text was updated successfully, but these errors were encountered: