Hello I m not sure what the consequences of the following ar Prisma #prisma-whats-new

Hello, I’m not sure what the consequences of the f...

picosam

12/04/2017, 2:57 PM

Hello, I’m not sure what the consequences of the following are:

File uploads using the File API are not governed by the permissions on the
File
type. As such, everyone can upload files to your project.

Does this mean that one should really be very protective about one’s project alias for instance? I mean, if anyone knows what my service name or ID is, they can simply upload files without any control. No? I don’t have an issue with the downloads really, since the file secrets in my opinion should only be communicated to an authenticated user unless those files are public in the first place.

nilan

12/04/2017, 3:00 PM

that's correct. if that's a concern in your case, you can easily setup your own file integration including the desired authorization flows. check https://www.graph.cool/forum/t/possible-s3-integration/1013?u=nilan for some discussion on that matter

picosam

12/04/2017, 3:04 PM

Thank you. What about if I remove the

File

type (and so lose the File endpoint), are there other security concerns in knowing the service ID?

picosam

12/04/2017, 3:09 PM

Also, Nilan, on the Shared cluster, even with Pay as you go, it’s still not possible to secure the endpoint? Soren’s post isn’t fully clear on this.

nilan

12/04/2017, 3:20 PM

there are certainly other use cases, #graphql-gateway is the best place to discuss them at the moment 🙂

picosam

12/04/2017, 3:29 PM

Ok; just posted a question there. So what about the paid service possibility?

2 Views

Open in Slack

Previous Next