-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC Major security flaw #611
Comments
@GBrunelli I cannot see anything particular wrong with your query. However when I tried it out myself on a small database containing one (:Embeddable {embedding:[...]}) node I get null back for both columns as expected. Can you share which other privileges the api_reader role has? And do the Embeddable nodes have additional properties on them? Best regards Louise, Neo4j |
@GBrunelli Another question, do you happen to have this set in your config file: |
Hi! I tried to reproduce this, the only way I can do it is if I give the user boosted function privileges, which overrides denies. As this is expected behaviour, I will close this. Feel free to reopen if you have more information and this is not the reason. Thank you :) |
I'm not sure if I found a major security flaw, or if I did not setup something correctly, but here's the thing:
I added a custom role called 'api_reader', and denied this action for this particular role:
DENY READ {embedding} ON GRAPH neo4j NODE Embeddable TO api_reader
And when I try to read this property as someone with this role, I cannot, as expected.
But when I use apoc.convert.toJson in a node Embeddable, I'm able to read this property, here's an example:
Neo4j version: 5.17.0 enterprise
The text was updated successfully, but these errors were encountered: