Security: viewer role can CRUD collections & disabled registration may not be enforced #616
Description
Summary
Two security issues reported by a community member:
- Disabling registration does not fully prevent account creation
- Users with the viewer role can still CRUD collections and content
Details
1. Registration disable setting may not take effect
The registration endpoints (POST /auth/register and POST /auth/register/form) do check isRegistrationEnabled(), but the auth validation cache is never cleared when the setting is updated. In admin-plugins.ts (around line 744), the cache-clearing code is commented out:
// TODO: Clear auth validation cache if updating core-auth plugin
// if (pluginId === 'core-auth') {
// authValidationService.clearCache()
// }This means toggling registration off in the admin UI may have no effect until the worker restarts.
2. Viewer role can CRUD content and collections
Multiple endpoints only use requireAuth() without requireRole(), allowing any authenticated user (including viewers) to perform write operations:
Content API (api-content-crud.ts):
POST /api/content— no role checkPUT /api/content/:id— no role checkDELETE /api/content/:id— no role check
Admin collections routes (admin-collections.ts):
POST /admin/collections— no role checkPUT /admin/collections/:id— no role checkDELETE /admin/collections/:id— no role checkPOST /admin/collections/:id/fields— no role check
The requireRole() middleware exists and works correctly (used in admin-api.ts), but it is not applied consistently across all write endpoints.
Recommended Fix
- Add
requireRole(['admin', 'editor'])to all content write endpoints - Add
requireRole(['admin'])to collection schema modification endpoints - Uncomment and implement the auth validation cache clearing in
admin-plugins.ts
Reported By
Community member via Discord.