Embedded view can create token

Ruben2 years ago

Hi,

I have just installed 5.6 and working well.
I have added a user with readonly rights for my embedded view.

But i can see that the readonly user can create a new token. Should that be right?

Anton Tananaev2 years ago

Yes, that's correct.

Ruben2 years ago

okay.

shouldn't expact that when it's a read-only user.

Thanks

Anton Tananaev2 years ago

Token is not stored anywhere, so readonly users can generate it.

Craig Ridera year ago

Seems strange that a guest user (via token) has permission to create new tokens while also being able to set their own expiry date.

I guess my next step is to find out how to revoke tokens, sounds difficult it they're not saved.

Paul M Ash7 months ago

I just checked this. If I create a token and it has an expiration date for three days out. Can the read only user generate a token that will work past that date?

Anton Tananaev7 months ago

It should be easy to check.