Hi,
Can someone please confirm the bug described below and let me know if this is a known issue and whether we already have a fix for it?
Version: Tyk GW CE ver. 2.7.4 with file-based policy
Created a policy with contents similar to one listed below. Notice the “access_rights” has zero permission.
A user with such policy appears to have full access on all deployed apis.
When tested, I noticed tyk-gateway_stderr.log prints the line “Version not found” but still allows the request to go through instead of sending HTTP 403.
I checked the code @mw_granular_access.go, it looks to me in the two places (tyk/mw_granular_access.go at release-2.7 · TykTechnologies/tyk · GitHub) and (tyk/mw_granular_access.go at release-2.7 · TykTechnologies/tyk · GitHub), we should be returning http.StatusForbidden instead of http.StatusOK.
I also confirmed that in the case where “access_rights” has some URLs and the one being accessed doesn’t match the ones defined in access_rights, HTTP 403 is returned, which is the correct behavior.
{
“zeropolicy”: {
“_id”: “”,
“id”: “”,
“org_id”: “1”,
“rate”: 1000,
“per”: 60,
“quota_max”: -1,
“quota_renewal_rate”: 60,
“hmac_enabled”: false,
“active”: true,
“is_inactive”: false,
“tags”: [],
“key_expires_in”: -1,
“partitions”: {
“quota”: false,
“rate_limit”: false,
“acl”: false
},
“access_rights”: {}
}
}