In an env where pre/post filter module is enabled (mod-aes for example), accessing API without permission is allowed.
Steps to Reproduce:
- Set up an env with pre/post filter module enabled (mod-aes-0.0.4 for example)
- Create a user with limited permissions and get x-okapi-token
- Use above token to access APIs that requires other permissions
- The first try will be denied with 403, but following tries will success
API is protected by permissions
API permission protection is void
Disable token cache by setting token_cache_max_size to 0, or disable the pre/post filter module can prevent this security issue.