Hi
this is a security issue when Soft Deleted entities are in effect for the entire application:
- setup a couple of roles, one that denies everything (Denying), and one that has only Read permission for an entity (for example I tried with the sec$Permission one) and has the permission to show the Restore Deleted Entities screen
- assign the aforementioned roles to a user
- edit the role adding a permission, saving it and then deleting that permission (just to have a permission record with deleteTs set)
- login with the user created in point 2)
- open the Restore Deleted Entities screen and select the sec$Permission entity. You’ll see the permission deleted at point 3)
- select the deleted permission, and click Restore. The record will be updated (undeleted) even if the user DOES NOT have update permission on the sec$Permission entity
It seems that the permission check does not prevent updating the system attributes deleteTs, deletedBy, updateTs and updatedBy
I wanted to give a power user the ability to restore deleted entities, but given the above problem I cannot trust that screen, it’s a potential security breach.
Maybe I’ll extend or replace the screen by filtering out entities that are not part of the application namespace, but nonetheless it surprises me the fact that the user can effectively update the state of read-only entities…
Thanks,
Paolo