Forum Discussion

Adept

9 years ago

LiQL injection attacks and quotes in Rest API 2.0

I am sorry if this subject has already been covered, but I have searched forums, knowledge bases and Google for any answers and have come up empty handed. I am wondering how LiQL is protected aga...

FaisalK

Lithium Alumni (Retired)

Another excellent point. You are correct again, OR true=true might return everything but only to the extent what the user's permissions should allow them to see. Nothing more, nothing less. By design and by default, the user is able to interact with the API and get exactly the same information he or she is allowed to see via the GUI.

In other words, your design choices should not try to override what information is presented to the user solely on constructing a LiQL query.

hattesen

Adept

9 years ago

What about restadmin calls made on behalf of a user? Wouldn't that return data that the user would not be able to obtain via calls to the API?

Forum Discussion

LiQL injection attacks and quotes in Rest API 2.0

Related Content

Injecting a Js code after page load

Aurora: About the "Boards" set of permissions

Aurora: About the "Categories" set of permissions

Way to distinguish "sender" vs "receiver" in threaded private messages (version 3.1)

Search on the API using "first name"

Recent Discussions

How to fetch all labels associated with TkbArticlePage and count how many times each label is used

In Aurora, add additional <script> and <meta> tags

Setup content filter for arabic language

24.10 API change breaks navigation

How to create/subscribe the Webhook in Aurora