LiveQuery seems to bypass Record-level Security limit!! #7213
Comments
wolf4ood
added a commit
that referenced
this issue
Mar 3, 2017
wolf4ood
added a commit
that referenced
this issue
Mar 3, 2017
|
hi @zhiguan-hanks thanks for this issue. I've pushed a fix. It will be available in OrientDB 2.2.18 Thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OrientDB Version: 2.2.13 community
Java Version: 1.8.0_101
OS: linux
Expected behavior
When a record created, LiveQuery should catch nothing, if the user is restricted to access this record, even if he can access the class.
Actual behavior
normal select operation returns nothing, but LiveQuery returns the record.
Steps to reproduce
---------step 1--------------------------------------------------------------
create class box
alter class box superclass +ORestricted
//orientjs programm
db.liveQuery('LIVE SELECT FROM box') .on('live-create', function(data){ console.log("new record->",data.content); });---------step 2--------------------------------------------------------------
insert into box set title=''not-for-z2'
orientjs programm output:
D:\test>node livequery.js
user: z2 is listening...
new record-> { '@type': 'd',
'@Class': 'messageBox',
timestamp: Fri Mar 03 2017 18:17:42 GMT+0800 (中国标准时间),
title: ''not-for-z2',
_allow: [ { [String: '#5:0'] cluster: 5, position: 0 } ] }
---------step 3--------------------------------------------------------------
orientdb console output:
Connecting to database [remote:router.zhiguanyun.com/router] with user 'z2'...OK
orientdb {db=router}> select from box where title=''not-for-z2'
0 item(s) found. Query executed in 0.016 sec(s).
The text was updated successfully, but these errors were encountered: