Sunday, 31 October 2021
  2 Replies
  211 Visits
0
Votes
Undo
  Subscribe

Hey! :)

I think I found a security issue with the database and the user control. 

In the settings the option 'Enable database encryption' is greyed out and disabled (See image). TheocBase Settings DBEncryption

This results in the sqlite database to be freely readable with any db viewer. I would like to encrypt the content of the database so that it's content is safely secured and not freely editable.

The second thing is, that my user role is set to 'publisher', therefore I'm not allowed to see or edit the personal information of the Brothers and Sisters which is a good thing because my role does not allow it. But when I open the underlying database I'm still able to see all the personal information and I can easily edit those. With this I can bypass the set permissions.

If someone unwanted were to get access to the local .sqlite database on my PC or Mobile and it would not be encrypted there would be a dataleak of personal information.

So, that brings me to my questions: How can enable the database encryption for me personally? How can I do this for other users as well? And would it be possible to sync only the required data based on the set user permissions and not everything?

Thanks for your efforts! I'm looking forward to your reply.

3 weeks ago
·
#8854
0
Votes
Undo

Hi Marc,

Thank you for your response. I'm looking forward to the fix :)

If in the meantime more information or help is required from my side please let me know.

1 month ago
·
#8811
0
Votes
Undo

Those are good points. I hadn't noticed the 'encrypt database' had gone grey. It is not down to your role, though. I am an admin, and I cannot set encryption either.

I have argued many times that setting a password is useless: as you point out, it does not prevent others from reading the database, which is the only reason you'd set the password in the first place. Only one thing ever happens when people set a password: they forget it. (Then when the databasse is not encrypted, that is easily solvable ;-))

I'll notify one of the developers of your remarks. And an additional one: the Dropbox syncfile isn't encrypted. If (!) each could set a local encryption, this would only work if the info is being decrypted before being sent to Dropbox.


https://www.theocbase.net/support-forum/post/1097-donations.html

For accessing the database my personal preference is http://sqlitebrowser.org/

For editing templates I now use https://code.visualstudio.com/ 

 


  • Page :
  • 1
There are no replies made for this post yet.
Be one of the first to reply to this post!