If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.
Summary Field level permissions not being respected in relationship title. If I have a relationship title and the relationship shows a field I don't have permission to see I will still be visible. Details No RBAC checks on on the relationship the relation endpoint returns PoC Setup Create a fresh strapi instance Create a new content type in the newly created content type add a relation to the users-permissions user. …
Attackers can get access to user reset password tokens if they have the configure view permissions.