Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

Permissions for file management #143

Closed
marktani opened this issue Mar 20, 2017 · 9 comments
Closed

Permissions for file management #143

marktani opened this issue Mar 20, 2017 · 9 comments

Comments

@marktani
Copy link
Contributor

Currently everyone can upload/download files using the File API. However, the permissions on the file model should be respected.
@marktani marktani mentioned this issue Apr 11, 2017
Closed
@sedubois
Copy link

I understood the above description as meaning "everyone in the team can upload/download files".

But when testing I realised that currently any random user can tamper with files, which makes the feature rather fragile.

Would you have any ETA to have at least basic security? Thanks a lot and happy Easter!

@danmkent
Copy link

danmkent commented Sep 4, 2017

I think at least adding the ability to allow only authenticated users to upload files is really important.

As I understand it, right now anyone can upload files and we can't even guarantee who uploaded which file.

Even if more sophisticated permissions take longer to implement, it would be a good start to just have the option to restrict uploading to authenticated users and set an uploadedBy relationship on the File so we know who has uploaded what.

@steve-a-jones
Copy link

I agree @danmkent. This is a bit concerning and looking forward to an ETA on this feature. Even a partial release where Upload is at least restricted to authenticated users would be a plus :)

Liability issues can easily surface if there is malicious intent. Imagine having an s3 bucket open for anyone to upload to.. One could easily use your account to host their own files.

@kbrandwijk
Copy link
Contributor

kbrandwijk commented Sep 6, 2017
edited
Loading

Very easy, just require a valid Graphcool token for upload. The rest can come later. Now it's a Free For All file storage once you know a projectId, with possible billing issues, and some serious legal implications if anyone decides to upload illegal files to your storage.

My temporary solution. I created a webtask as my own proxy, that adds authentication (and encryption), and sets a field on my File Type, and I run a cron job that cleans up all File entries that don't have that special flag set. More details here: https://github.com/graphcool-examples/functions/blob/master/file-handling/file-proxy/auth-file-proxy/README.md

@freder
Copy link

freder commented Sep 8, 2017

I am slightly shocked this hasn't been implemented yet.

@maxdarque
Copy link

Are file permissions on the roadmap? If so what does the time frame look like?

@mbiqbal
Copy link

mbiqbal commented Oct 9, 2017

@marktani Any updates on this?

@russellr922
Copy link

@marktani same question as @mbiqbal

@maxdarque maxdarque mentioned this issue Dec 14, 2017
Closed
32 tasks
@marktani marktani mentioned this issue Jan 22, 2018
Open
@marktani
Copy link
Contributor Author

This issue has been moved to graphcool/graphcool-framework.

@snyk-bot snyk-bot mentioned this issue Feb 1, 2020
Open
This was referenced Sep 15, 2021
Open
Open
This was referenced Sep 28, 2021
Open
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@freder @kbrandwijk @schickling @marktani @mbiqbal @russellr922 @sedubois @steve-a-jones @danmkent @maxdarque