We have an environment (not default) which nobody has access to, other than one admin account which we use for administration and deployment. Within this environment we have one PowerApp and one connection to our Azure SQL database, which the app uses.
The app is shared with all users in the organisation via an AAD group ("User", not "Co-owner" permissions), and they access it with a direct link from our intranet. The SQL connection is also shared with the entire organisation to allow the app to function (without sharing it users got an error when launching the app), but again as nobody has access to the environment that should be alright - they can't create their own apps and use this connection.
The problem comes when the download button and the PowerApps desktop app come in to play.
By clicking the download button and opening the app in the desktop client, I am then presented with an option to edit the app. This launches the web-based PowerApps studio in the scope of the environment. Bear in mind I have no permissions on this app other than as a user.
From here, I can then edit the app to my heart's content. What's the big deal? Well, I might have a gallery where I filter the items based on the current user. A user could remove this filter and see records belonging to their colleagues. If an app was for something sensitive then this could open up a whole world of issues.
Am I missing something here? This seems like a massive security hole and is quite baffling. Why can I, with lowly user permissions, get anywhere near the editor in the context of this environment?
Edited with in-line images
An update on this.
When I view the app in the list within the PowerApps desktop client the edit button is disabled, I expect due to the fact I do not have permissions on this environment or app to edit it.
But when I launch the app and then go in to "App commands" in the menu, the edit button is enabled.
This edit button being enabled is allowing me to edit the app in the context of an environment on which I have no permissions, and ultimately view data I should not be able to.
What resolutions are available for this? This has the potential to be a show-stopper after months of development.
I think the quickest solution to this would be to disable the download button either for my environment or for my tenancy - is this possible?
Have you tried going into the enviroment settings vthe "Canvas App" Security role of shared users in the enviroment so they can only read canvas apps?
IIRC all shared users are given the "Common Data Service" user security role. Within that role you can specify canvas app creation/read/write/edit permissions and by removing the "edit" portion of that, they should not be able to edit any canvas apps that come from that enviroment.
(Goto: https://admin.powerplatform.microsoft.com/environments/[[Your EnviromentGUID]]/settings -> Users + Permissions. Select the Common data user role -> goto the Customizations tab, and its found in there.)
The links and whatnot will still be there but it should throw an error when the editor tries and launch.
Let me know if that works.
I wonder if anyone could try and reproduce my situation and confirm/deny my findings? There is always the chance that I have implemented something incorrectly, but at the same time if I am correct then more weight behind it would help escalate this and create a more secure environment for everyone.
To clarify. The user you are logged in on the desktop version and the user that is logged in when you are editing the application are the same correct?
I ask because it seems the link that the desktop app creates when launching a browser window does not add any user context...so if you, say, hit the edit button as a user, and it opens the link using the credentials of your admin account, I can see this happening.
To test this, you might try opening the app in Incognito mode. Ensure you are only signed in as the USER and your ADMIN creds are not cached somewhere along the way.
Check out the on demand sessions that are available now!
Stay up tp date on the latest blogs and activities in the community News & Announcements.
Features releasing from October 2020 through March 2021