Insufficient permission checks in queries when a name of an invisible record is used in a filter where a visible record references the invisible one

Summary

See new integration tests in linkahead-pyinttest@537c4c84. When a user is allowed to retrieve an entity that references another entity that is not visible to this user, the name of the referenced entity is leaked via property-operator-value filters of the query.

FIND visible WHICH HAS A invisibleRT=invisbleName leaks the name, especially in combination with LIKE.

This is a special problem of the "name" property and there has to be a Record which may be accessed which references the unaccessible Record.

Expected Behavior

The above queries should show empty results.

Actual Behavior

They show the results as if the user was allowed to see the invisible entities

Steps to Reproduce the Problem

See linkahead-pyinttest@537c4c84

Specifications

Version: linkahead-server 0.12.0, linkahead 0.11.1 and 0.12.0
Platform: any

Edited Dec 04, 2023 by Henrik tom Wörden

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information