Security: arbitrary users able to edit table queries

Description

Hi,

We are using Play SQL Base to embed simple SQL query results in Confluence pages. The database contains sensitive information, so we do not want all Confluence users to have SQL query permissions.

The space administrator has defined a datasource and written a query in a Table.

Now I log out, and log back in as an unprivileged user, who is not the space administrator.

  • The 'Tables' menu item for the space is visible.

  • Under 'Queries', if I click 'Create new...', I get an error: "User ... must have CRUD permission for the space '...'"
    . This is good.

  • Under 'Queries', if I click the existing query, I can edit it! This is bad. An unprivileged user can rewrite the SQL to anything they want.

I suggest that editing existing queries needs to be protected with the CRUD permission, just like new queries.

Environment

None

Observations

None

Assignee

Adrien Ragot (Play SQL / Requirement Yogi)

Reporter

Jeff Turner (Red Radish Consulting)

Labels

None

Participants

None

Components

Priority

Matter of weeks
Configure