I have noticed that end users seem to be able to access the details of resources, even if those end users are not admins and do not have 'edit' access turned on for apps or resources.
This can be accessed by the end used going to the 'search' function in the retool menu:
This seems like a MAJOR security flaw if this is the case.
Can someone from Retool please confirm if this is supposed to function like this?
Are you on self hosted or cloud?
The users can also access the resource by going to the resource’s url. Even though if they just of to .retool.com/resources it says they don’t have permission to view
I don't know if you want to add me to test it from an outside source or not but OK....
What plan are you on?
That is private information that I will not post here-- so I have DM it to you
Just a gentle reminder...
Is anyone available to comment on this issue? This seems like a MAJOR security flaw in Retool...
I don't think end users should be able to have access to detailed information on the resources.
@bg1900 Unable to reproduce this. Users without edit permissions on the resource get a 403 message when trying to access the Resource from the
Search in the Retool menu and also by going to the url directly. Are you still seeing this? If so, can you share the permissions set on the user's groups so I can replicate. Thanks.
Thanks for jumping in here.
Yes, still able to replicate it.
We can message off the forum if you like so I can send you photos of what I am seeing.
Just to update the topic here, this issue was resolved with a deploy on 12/5. Thanks for reporting and helping us get to the bottom of it!