Option to disable GET of /files endpoint #20908
metalmarco
started this conversation in
Feature Requests
Replies: 2 comments 3 replies
-
Be aware that disabling the |
Beta Was this translation helpful? Give feedback.
0 replies
-
@metalmarco did you find solution for this? |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Summary
For security reasons, I think it would be a good idea to have an option to disable the GET request to the the
/files
endpoint without specifying an explicit ID.In this way only GET requests directed to a specific file would be allowed, but GET requests that could allow a user to list ALL the files in Directus storage will be disallowed-
Basic Example
GET
<directus>/files
--> 401GET
<directus>/files/<uuid>
--> 200Motivation
Making sure that files stored in Directus storage are safe from unauthorized access it's very important.
The best solution from a security point of view, which is currently possibile in Directus, is to define granular READ permission on the
directus_files
collection so that they are based on every possible relation the specific file have within the intere datamodel.But for non critical applications, the "protection" granted by the UUID could be enough. A user will have to bruteforce UUIDs to get to a specific file.
However, if there is no way to block access to the GET requests addressed to the
/files
endpoint, any user can LIST all the files available in the storage.Detailed Design
This could be addressed by an ENV variable which could disable the GET requests to a collection when no
/<id>
is specifiedRequirements List
Must Have:
/files
endpoint without specificing an/<id>
in the requestsShould Have:
Could Have:
Won't Have:
Drawbacks
No drawbacks, as long as the feature is disabled by default and well-documented.
If enabled, the Files view on the Directus App could be unusable.
Alternatives
The alternative is to set READ permission based on every relation the directus_files collection have on the database. This could be a very long activity when files are related to dozens of tables.
Adoption Strategy
The solution would bring an extra layer of security.
I don't think it's breaking change but documentation should point out that, if the option is enabled, could affect existing applications.
Unresolved Questions
No response
Beta Was this translation helpful? Give feedback.
All reactions