Skip to content
GitLab
  • Explore
  • Sign in
  • dmx-platform
  • dmx-platform
  • Issues
  • #384

Non-readable topic/assoc may become visible through client-sync

The Topicmaps module broadcasts addTopicToTopicmap/addAssocToTopicmap websocket messages to all connected clients. Thus a topic/assoc might become visible on a topicmap even if the user lacks READ permission.

This happens e.g. when private topics/assocs are revealed on a shared topicmap.

Fix: for every websocket connection check if the associated user has READ permission for the topic/assoc. Only send message if so.

This is a follow-up of https://git.dmx.systems/dmx-intern/sprint-planning/-/issues/214#note_15396

Thank you @jpn for reporting!
@mukil FYI

Assignee
Assign to
Time tracking