Upgrading from 0.14.2 to 1.3.7 .. not understanding the security changes
You can set an env variable to prevent other users registering into your appwrite dashboard
With email or IPs
Does it stop someone who is working in one organization from creating a new organization?
Seems like not
But please, don't try downgrading, it's very possible that you will crash everything in the process
Also since such version it's very likely that they have implemented some security patches, so it's not recommended using an outdated version
I have a solid backup and restore procedure. I've been using appwrite for years and know it inside and out.
Just haven't kept up with it lately .. but these type of security holes, unfortunately would render the whole platform unusable for me.
But why are you sharing access to someone you don't trust?
You dashboard should not be accessible in any ways to anyone you can't trust from creating new projects, etc
To test a developer's skills it's common to give them a sample application to test on.
I do this quite a bit when hiring.
There's no way you can trust a stranger you have never met and are evaluating for the first time 100%.
It should be easy for me to create an environment for them that they can work in without worrying about them creating their own admin accounts in my system
it shouldn't even be an option IMHO
or there should be some sort of actual "admin"
So for that, better using a separate appwrite instance, having access with or without roles to appwrite main dashboard involves higher security risks, even if there's or not an "Admin"
Then I'm paying 10x hosting costs for something that should just be a toggle switch
Why 10x? Just have 1 for you main apps and other to test
When hiring, evaluation is usually done in large groups of different people.
Anyways, wait until anyone from appwrite team takes a look into this and confirm that there's not any workaround or config
I see
Thanks for your feedback. It's appreciated
Btw this was kind of always the case even in 0.14.2. you just couldn't see the organization and every new project created a new organization.
And yes, every console user is the same. There is no super user.
I had a feeling it was probably like this back then too.. I was not having other people working in my projects in the same way at that time, but now my needs have changed.
Either way, this realization that there is no "admin" or "everyone's an admin" makes this an increasingly more difficult system to maintain.
Hopefully more granular security will be thought into the system at some point.
It seems like the easiest path forward for me is to build a custom tool to monitor the database to make sure the users aren't creating hidden assets.
This could be solved easily on the software side if the system had an actual "admin" account responsible for administering the system.
You might want to 👍 these issues:
thanks, will do 🙂
