Scoped keys are allowing listing of all collections
lukaslau opened this issue · comments
Description
I created a scoped key which should only access collections which starts with "name_.*". When I call retrieve all collections method I get a collection named "test" in a result set.
Steps to reproduce
Created a key with this json:
{ "description": "Write key", "actions": [ "collections:*", "documents:*", "synonyms:*" ], "collections": [ "name_.*" ], "value": "3859c47b98b78a573a1a7b00071e2108" }
Made a request with that API key to get all collections
Response:
[ { "created_at": 1709418276, "default_sorting_field": "", "enable_nested_fields": false, "fields": [ { "facet": false, "index": true, "infix": false, "locale": "", "name": ".*", "optional": true, "sort": false, "type": "auto" } ], "name": "name_1", "num_documents": 0, "symbols_to_index": [], "token_separators": [] }, { "created_at": 1709415257, "default_sorting_field": "", "enable_nested_fields": false, "fields": [ { "facet": false, "index": true, "infix": false, "locale": "", "name": ".*", "optional": true, "sort": false, "type": "auto" } ], "name": "test", "num_documents": 0, "symbols_to_index": [], "token_separators": [] } ]
Expected Behavior
If you create a scoped key with defined collections name pattern you should not get collections not matching that pattern when calling "/collections" method to get all collections.
Actual Behavior
It works good if you try to get one collection by name but not when you try to get all collections.
Metadata
Typesense Version: latest
OS: debian
The collections:*
permission allows you to do collections:list
which is why you are able to list all collections.
Yes but if the key is scoped it should return collections from key's scope when listing all collections