Insufficient permission checks during subproperty filters of SELECT queries when an entity with retrieve permissions references one without
Summary
See new integration tests in linkahead-pyinttest@537c4c84. When a user is allowed to retrieve an entity that references another entity that is not visible to this user, information about the referenced entity is leaked when a SELECT query is used with subproperty filters.
-
SELECT invisble.name, invisble.property, invisible.otherInvisible.name FROM visible
even leaks property values.
Note, that the attribute names (e.g. "property" in the above example) need to beknown in order to exploit this.
Expected Behavior
The above queries should show empty results.
Actual Behavior
They show the results as if the user was allowed to see the invisible entities
Steps to Reproduce the Problem
See linkahead-pyinttest@537c4c84
Specifications
- Version: linkahead-server 0.12.0, linkahead 0.11.1 and 0.12.0
- Platform: any