fix: improve security by deprecating creating users with public access by default (#7319)

2021-10-08 14:24:20 +11:00
parent 2b5bf2261b
commit 484c2e81ca
10 changed files with 86 additions and 28 deletions
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -1408,7 +1408,9 @@ RestWrite.prototype.runDatabaseOperation = function () {
      // default public r/w ACL
      if (!ACL) {
        ACL = {};
-        ACL['*'] = { read: true, write: false };
+        if (!this.config.enforcePrivateUsers) {
+          ACL['*'] = { read: true, write: false };
+        }
      }
      // make sure the user is not locked down
      ACL[this.data.objectId] = { read: true, write: true };