You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@usergrid.apache.org by Shaozhuang Liu <st...@apache.org> on 2014/06/09 17:22:52 UTC

security issue?

Hi guys,

by default, the logged in user ( of app ) has a ‘default’ role, and the role has permission to do anything ( get,post,delete,put:/** )
which means, for example,  a user can delete other users, is it expect or it is a security issue?


-------------------------
Best Regards,

Strong Liu <stliu at hibernate.org>
http://about.me/stliu/bio

Re: security issue?

Posted by Todd Nine <to...@gmail.com>.

Hey Strong,
  This is intentional.  I'm not sure the documentation is up to par,
but the default apps are not production ready in terms of security
upon creation.  If that's not immediately clear, we should definitely
update the docs.  We purposefully leave them open so people can easily
play with the api, then lock it down with the security required in
their application later.

On Mon, Jun 9, 2014 at 8:22 AM, Shaozhuang Liu <st...@apache.org> wrote:
> Hi guys,
>
> by default, the logged in user ( of app ) has a ‘default’ role, and the role
> has permission to do anything ( get,post,delete,put:/** )
> which means, for example,  a user can delete other users, is it expect or it
> is a security issue?
>
>
> -------------------------
> Best Regards,
>
> Strong Liu <stliu at hibernate.org>
> http://about.me/stliu/bio
>