Comments (3)
Misconfigured flows (and extensions) can definitely pose a security risk if permissions are not properly checked. The general rule of thumb is dont expose admin features to non-admin users unless you're certain the flow/extension is "safe" to do so.
the problem is that i believe most users will not realise that a manual flow is NOT restricted to admins (even though it's ONLY shown to admins in the app), but actually PUBLIC!
basically i'm arguing that a large part of flows created are "misconfigured" security wise without the creator realising.
from directus.
the platform philosophy of being agnostic to this type of configuration is supported by the inclusion of $trigger.accountability on manually fired flows:
this way, it's up to the author of the flow to implement as much or as little security as they want.
you can also enable/restrict visibility of specific flows within the app by changing a role's read permissions to the id's within directus_flows
from directus.
Misconfigured flows (and extensions) can definitely pose a security risk if permissions are not properly checked. The general rule of thumb is dont expose admin features to non-admin users unless you're certain the flow/extension is "safe" to do so.
from directus.
Related Issues (20)
- "You don't have permission to access this." when displaying Directus User in a list in the built-in Directus UI HOT 2
- Directus Paging issue HOT 5
- Error when opening the media-library HOT 2
- Upload files in chunks
- TypeError Cannot read properties of undefined (reading 'primary') HOT 3
- AUTH_LDAP_DEFAULT_ROLE_ID overwrites assigned role on every login
- Unable to detach link in flow
- Unable to create two images with a different name on the same singleton collection HOT 2
- Insight : Definition object should contain 'type' property: Object({ type: undefined, resolve: [function resolve] }) HOT 3
- Directus FLows: Item.create and Item.update have different data structure HOT 1
- WYSIWYG field - filtering for special characters HOT 1
- Cloudinary Storage: Old image returned after replacing/editing HOT 2
- Add new password-input-component for user registration
- Allow a Custom URL in the new POST /register endpoint
- Document Public Registration
- Caching custom api endpoint not working
- Flows logs panel takes too long the first time we open with large number of logs
- Adding a new module link(through setting page) creates an ugly scrollbar in the module panel
- Bundle extension labels as enabled when all nested packages are disabled HOT 1
- Public role allow to create empty user. HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from directus.