User bypass the permission in Realtime Event

  • 0
  • Realtime
  • Cloud
Mosh Ontong
10 Jul, 2024, 13:38

Please read my thread

Developers are encountering unauthorized access due to a lack of guard or middleware for realtime events bypassing permissions. The User property can be null if the user doesn't have permission. Ensure realtime events do not expose unauthorized information.
Mosh Ontong
10 Jul, 2024, 13:38

Observe the video

Mosh Ontong
10 Jul, 2024, 13:39

This is the model of thread:

class Thread extends Equatable {
  /// {@macro report_thread}
  const Thread({
    required this.parentRef,
    required this.message,
    required this.createdAt,
    required this.attachIds,
    required this.parentType,,
    this.hasChild = false,
    this.isChild = false,

  /// From Json
  factory Thread.fromJson(Map<String, dynamic> json) {
    return Thread(
      id: json[r'$id'] as String,
      parentRef: json['parentRef'] as String,
      author: json['author'] != null
          ? User.fromJson(
              json['author'] as Map<String, dynamic>,
          : null,
      createdAt: DateTime.parse(json[r'$createdAt'] as String).toLocal(),
      message: json['message'] as String,
      hasChild: json['hasChild'] as bool,
      isChild: json['isChild'] as bool,
      parentType: ThreadParentType.fromString(
        json['parentType'] as String,
      attachIds: (json['attachIds'] as List)
            (item) => item as String,

  /// ID of Report Thread
  final String id;

  /// Report ID reference
  final String parentRef;

  /// Author of Report Thread
  final User? author;

  /// Attachments of Report Thread
  final List<String> attachIds;

  /// Message of Report Thread
  final String message;

  /// Created At of Report Thread
  final DateTime createdAt;

  /// Indicate what type of parent this thread is
  final ThreadParentType parentType;

  /// Indicate that this thread is child or not
  final bool isChild;

  /// Indicate that this thread has child or not.
  final bool hasChild;
Mosh Ontong
10 Jul, 2024, 13:40

As you can see the User property is a nullable data type, it because the author can be null because this user might not have the permission to read the user that associate with this thread.

Mosh Ontong
10 Jul, 2024, 13:41

However, when there is a new event of realtime it bypass the permission. He can see the Author. Because the Realtime event itself it provides the Author in payload. It seems there is no guard or middleware on the realtime

Mosh Ontong
10 Jul, 2024, 13:45
Mosh Ontong
10 Jul, 2024, 13:46

The Muslimin Ontong, is provided by Realtime Event, not from fetching documents.

Mosh Ontong
10 Jul, 2024, 13:47

When I fetch documents, it gets my expectation. The User author will be null since that user does not have the permission. I hope you guys understand what is the goal of this problem

Mosh Ontong
10 Jul, 2024, 13:50

If you are curios, how does Administrator generate? THen this is the flow

Mosh Ontong
10 Jul, 2024, 13:50

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more