Response from storageList does not respect permissions!

dzso · September 7, 2023, 3:03pm

Description

Calling nk.storageList(null, collection_name, 10) returns objects that should not be readable. Private objects are returned without a user ID, when only public objects should be returned.

Steps to Reproduce

Create various storage objects with permissionRead set to 0, 1, 2
Call nk.storageList(null, collection_name, 10)
Inspect the results and see that all objects are returned

Expected Result

Only objects that have public read permission or belong to the current user should be returned

Actual Result

I get a response like this:

[
    {
        "collection": "cards",
        "version": "2488e59d6392a3412a72e21d5c9b3d3f",
        "permissionWrite": 1,
        "createTime": 1693909271,
        "updateTime": 1693910430,
        "key": "6be82de6-2dd3-46da-8350-5f1040cd5b82",
        "permissionRead": 0,
        "value": {
            "text": "This card is only user 1"
        },
        "userId": "a4ff99bb-f481-46ef-ba22-1e78406e6473"
    },
    {
        "permissionRead": 0,
        "permissionWrite": 1,
        "createTime": 1693910254,
        "value": {
            "text": "This card is only user 2"
        },
        "userId": "b2da6a30-4bcc-4184-8e53-824d0302ebc1",
        "version": "db0efeee4f01f50c936994f39a761bda",
        "updateTime": 1693910414,
        "key": "baf11449-9e7c-4cff-b46e-5ddde1250523",
        "collection": "cards"
    },
    {
        "permissionRead": 2,
        "createTime": 1693910191,
        "updateTime": 1693910191,
        "key": "8a703ab0-45f2-434f-9403-3432d7399dbb",
        "collection": "cards",
        "userId": "a4ff99bb-f481-46ef-ba22-1e78406e6473",
        "version": "d230ffb0a87e7b70b7072d740ffc422e",
        "permissionWrite": 1,
        "value": {
            "text": "This is a public card"
        }
    }
]

Context

Using JS RPC functions that I added to nakama-project-template.

Your Environment

Server version: 3.16.0+27ba93d3 running in Docker

Update: based on the documentation for storageList, instead of null, I should pass in an empty string for the user ID. But I tried that as well, and end up getting this error:

template_nk_backend   | {"level":"error","ts":"2023-09-07T14:49:05.948Z","caller":"server/runtime_javascript.go:551","msg":"JavaScript runtime function raised an uncaught exception","mode":"rpc","id":"get_cards","error":"TypeError: expects empty or valid user id at github.com/heroiclabs/nakama/v3/server.(*runtimeJavascriptNakamaModule).storageList.func1 (native)"}

sesposito · September 8, 2023, 10:55am

Hello @dzso,

When the operation is called from the server runtime the permissions are not applied because the server should be able to access all objects, the first param of nk.storageList is to filter the records by their owner or list all records in the collection (if empty string or null).

We will add an additional param called callerID to the function to specify whether to filter the results based on the permissions or assume the caller is the system user.

In the meantime you can filter the results that shouldn’t be returned with some custom logic.

Best