Describe the bug
The dashboard is not limited to the data of the user being logged in. Dashboard shows overall data (data protection issue).
To Reproduce
Steps to reproduce the behavior:
- Set a IAM policy for a user or a role like
{ "action": "read", "subject": "dashboard", "conditions": { "ingestionSource.userId": "${user.id}" } }
- Log in as the user and check the dashboard
- The user can see all ingests, all top senders of all ingested accounts
Expected behavior
A user should not see the details of all users in the system. Any info on the dashboard should be limited to the user (except the user is an admin)
Screenshots
System:
- Open Archiver Version: 0.5.0
- Docker installation
- Debian 13
Relevant logs:
Additional context
Describe the bug
The dashboard is not limited to the data of the user being logged in. Dashboard shows overall data (data protection issue).
To Reproduce
Steps to reproduce the behavior:
{ "action": "read", "subject": "dashboard", "conditions": { "ingestionSource.userId": "${user.id}" } }Expected behavior
A user should not see the details of all users in the system. Any info on the dashboard should be limited to the user (except the user is an admin)
Screenshots
System:
Relevant logs:
Additional context