Undocumented access control bypass mechanisms #8
Description
if (ctx.options.skipAccess) {
debug('skipAccess: true - skipping access filters');
return next();
}
// Do not filter if the request is being made against a single model instance.
if (_get(ctx.query, 'where.id')) {
debug('looking up by Id - skipping access filters');
return next();
}These two access bypass mechanisms are undocumented and could expose data to unauthorised users.
- Document these bypass mechanisms
- Allow users to disable these through configuration options.