If I subscribe to any channel in realtime and then block the user. The user is unable interacting with the rest api, but is still able to retrieve RealtimeMessages and listen to realtime. For any document, bucket, file, etc. where the user has been granted permission.
Affects established connection when the user gets blocked and all the connection after the user gets blocked. The user is still able to listen to realtime events.
I think this is a serious security issue because the user is able to retrieve data eventho he is not supposed to.
I'm using Appwrite 1.5.2 selfhosted and appwrite 12.0.1 for flutter.
TL;DR
Developers reported that blocked users can still receive RealtimeMessages even though they are unable to interact with the rest API. The issue affects all connections after the block and poses a serious security concern. This issue has been observed on Appwrite 1.5.2 self-hosted and Appwrite 12.0.1 for Flutter.
