TYK GW: policy with empty "access_rights" gets full access


#1

Hi,

Can someone please confirm the bug described below and let me know if this is a known issue and whether we already have a fix for it?

Version: Tyk GW CE ver. 2.7.4 with file-based policy

Created a policy with contents similar to one listed below. Notice the “access_rights” has zero permission.
A user with such policy appears to have full access on all deployed apis.

When tested, I noticed tyk-gateway_stderr.log prints the line “Version not found” but still allows the request to go through instead of sending HTTP 403.

I checked the code @mw_granular_access.go, it looks to me in the two places (https://github.com/TykTechnologies/tyk/blob/release-2.7/mw_granular_access.go#L25) and (https://github.com/TykTechnologies/tyk/blob/release-2.7/mw_granular_access.go#L31), we should be returning http.StatusForbidden instead of http.StatusOK.

I also confirmed that in the case where “access_rights” has some URLs and the one being accessed doesn’t match the ones defined in access_rights, HTTP 403 is returned, which is the correct behavior.

{
“zeropolicy”: {
“_id”: “”,
“id”: “”,
“org_id”: “1”,
“rate”: 1000,
“per”: 60,
“quota_max”: -1,
“quota_renewal_rate”: 60,
“hmac_enabled”: false,
“active”: true,
“is_inactive”: false,
“tags”: [],
“key_expires_in”: -1,
“partitions”: {
“quota”: false,
“rate_limit”: false,
“acl”: false
},
“access_rights”: {}
}
}