Skip to content
Start building
Back

Realtime continues returning data while user is blocked

  • 0
  • Self Hosted
  • Flutter
  • Realtime
View on Discord
Joshi
11 Mar, 2024, 20:33

If I subscribe to any channel in realtime and then block the user. The user is unable interacting with the rest api, but is still able to retrieve RealtimeMessages and listen to realtime. For any document, bucket, file, etc. where the user has been granted permission.

Affects established connection when the user gets blocked and all the connection after the user gets blocked. The user is still able to listen to realtime events. I think this is a serious security issue because the user is able to retrieve data eventho he is not supposed to.

I'm using Appwrite 1.5.2 selfhosted and appwrite 12.0.1 for flutter.

TL;DR
Developers reported that blocked users can still receive RealtimeMessages even though they are unable to interact with the rest API. The issue affects all connections after the block and poses a serious security concern. This issue has been observed on Appwrite 1.5.2 self-hosted and Appwrite 12.0.1 for Flutter.
Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more