Skip to content

Unauthorized access permitted when using multiple user models #3506

Description

@bencallaway

Description

Using the setup suggested by the docs for controlling access with multiple user models, it appears that a user A may access info about user B.

Sample repo

https://github.com/bencallaway/loopback-sandbox

Test case

A test for the scenario can be run with npm test, and not so surprisingly found at test/test.js.

Steps to reproduce

  1. Setup Customer and Admin models based on User
  2. Setup a CustomAccessToken model based on AccessToken
  3. Setup a polymorphic hasMany "accessTokens" relation from Customer and Admin to CustomAccessToken with "userId" as the foreign key and "principalType" as the discriminator
  4. Setup a polymorphic belongsTo "user" relation from CustomAccessToken with "userId" as the foreign key and "principalType" as the discriminator
  5. Create a Customer account
  6. Create an Admin account
  7. Login as Customer
  8. GET /admins/{customer_id}?access_token={customer_access_token} returns the admin who happens to have the same numeric id

Expected result

The server should respond with a 401.

Actual result

The server responds with a 200. The admin’s information is returned in the response body.

Additional information

darwin x64 8.1.3

loopback-sandbox@1.0.0
├── loopback@2.38.3
├── loopback-boot@2.25.0
├── loopback-component-explorer@2.7.0
├── loopback-datasource-juggler@2.55.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions