ACL to protect related model from anyone besides owner?

[johncpang]

I'm looking for a way to secure a related model. But I think I found a loopholes.

GET /pushIDs // ACL is deny for all, but everyone can create new records
GET /users/{id}/pushIDs // ACL is $owner can CRUD

In Explorer, it looks fine. I cannot access other's pushIDs from the above APIs, even I know the id of pushIDs records. However, I can get the pushIDs with this:

GET /users/{id}?filter={"include": "pushIDs"}

Is that a leak?

[johncpang]

discussed here: #960 (comment)

[proreact-mj]

Answered in other topic.
This is not a bug, but a configuration issue.

As per documentation in Accessing related models this is by design and you should take additional measures to secure you models and relations.

Specifically:
When accessing a related model, the active ACL is still the one for the model you are calling. So even if your model has DENY ALL permissions set, if the model relating to it has no ACL, then all the relation endpoints will be open. This can be a security risk because, for example, GET /OpenModel/{id}/ACLSecuredModel will allow full access to ACLSecuredModel through the OpenModel relations.

[kjdelisle]

@proreact-mj Thank you for your help with triage!
@johncpang If you still have concerns or disagree, feel free to reply to this issue with details.

[20B2]

I've extended User model to create Client model and set up relation to a "MyModel". I've asked a question at Stackoverflow. The issue I'm facing is, unauthorized users can access /Client/:id/myModels while the route /Client/:id/myModels/Count is unaccessible. I want the route /Client/:id/myModels to be unaccessible to the unauthorized users as well.