Direct API URL Access Can Bypass Role Restrictions in Devportal #3391
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Description
Even when an API is restricted in the Publisher and Developer Portal (DevPortal) for users who do not have a specific role, users with the roles Internal/creator, Internal/subscriber, and Internal/publisher can still view the API in the DevPortal if they access the full URL of the API directly.
Steps to Reproduce
Create an API and Role:
Create an API through the Admin Portal.
Create a custom role without any permissions.
Restrict Access:
Restrict access to the API in both the Publisher Portal and the DevPortal for the custom role created above.
Create a Test User:
Create another user with the roles Internal/creator, Internal/subscriber, and Internal/publisher (but without the custom role mentioned above).
Verify Access Restriction:
Log in to the Publisher Portal and DevPortal with the test user. The API should not be visible.
Obtain the API URL:
Log in to the DevPortal as an Admin user and copy the API's URL
Bypass Restriction:
Log in to the DevPortal as the test user created earlier.
In a new browser tab, enter the copied API URL directly.
You will be able to view the API, despite the restrictions.
Version
4.0.0
Environment Details (with versions)
No response
The text was updated successfully, but these errors were encountered: