Some Permissions checks in webservice not working
Description
I tried to call the _isUserLocked() method of the webservice with an api-user with manager rights on itself. I receive an error "You have no permission to view the object", while in the web UI I can access the status information with this user.
Method calls succeed when an admin account is used.
Distribution Name and Version
Debian Stretch 9.3
FusionDirectory Version
1.0.19-1 (I think it also affects newer versions)
Plugin with the defect
webservice
PHP version used
7.0+49 (Debian stretch)
Origin of php packages
Debian stretch
Steps to Reproduce
- Install fusiondirectory with plugin webservice
- Create a user for the api, e.g.
api-user
- Give role 'manager' to
api-user
- With a JSON-RPC Client log in at the webservice with account
api-user
- Via JSON-RPC call the method
isUserLocked
- Get an error : /
Expected behavior:
Get a JSON object with
{'id': 1, 'error': None, 'result': {'uid=api-user,ou=people,dc=example': 0}}
Actual behavior:
I receive a JSON object with an error:
{'id': 1, 'error': None, 'result': {'errors': ['You have no permission to view the object:<br><ul><li>\n<i>uid=api-user,ou=people,dc=example</i></li></ul>']}}
Reproduces how often: 100% (~ 10/10)
Additional Information
As MCMic_w pointed out via IRC, the reason for this issue may be an wrong / old call to $ui->getpermissions($dn, 'user/password')
in the method _isUserLocked,
[he thinks] this was when password was handled by a separate class which is not the case anymore
Instead, he says, the ACL check should be $ui->get_permissions($dn, 'user/user', 'userLock')
.
The permission check against 'user/password'
is used in method _lockUser, _isUserLocked and _recoveryGenToken.
I did not find a reference how the attributes given to $ui->getpermissions()
translate, if s/o could point me to a reference I'm willing to test / try and build a patch.