I’m sorry but I’m just not buying it. This is a huge security issue and I’m getting more and more convinced that Strapi doesn’t care about security at all. I’m an admin for a couple of facebook page, and youtube channels. I can add permissions for users to be able to do some things, but none of the creators, authors, or moderators will ever be able to create a super admin and remove me from my channels. Another great example is that the excel export plugin that is approved by Strapi. It’s not secured at all. It’s opened to public and if you know the api url you are able to just download the file. I do have doubts if I should still use Strapi as a CMS.
1 Like