Skip to content
GitLab
Closed
Issue created by bmortier@bmortierMaintainer

ACL restrictions not applied when accessing through the JSONRPC API.

Description

User who are only allowed to read data for users in a subdirectory, can read all users in the directory starting from root.

Distribution Name and Version

Debian, Ubuntu and whatever runs demo.fusiondirectory.org

FusionDirectory Version

1.2, 1.2-fixes

PHP version used

Whatever runs demo.fusiondirectory.org

Origin of php packages

Whatever runs demo.fusiondirectory.org

Steps to Reproduce

  1. Give a user in a subdirectory access to read users in the same subdirectory.
  2. Confirm that user can read data for users in own subdirectory.
  3. Call method ls() using the JSONRPC.
  4. FD returns data for all users in the directory.

Using a Python wrapper I'm working on, the staps are: fd = FusionDirectory.Directory('http://demo.fusiondirectory.org/fusiondirectory/jsonrpc.php', 'average-joe', '123456') fd.logIn() users = fd.listUsers() for user in users: print(users[user]['dn'])

Expected behavior:

Only show data for users in the subdirectory to which access has been granted.

Actual behavior:

Data for all users in the directory are returned.

Reproduces how often: 100%

Additional Information

Added ldap dump from demo.fusiondirectory.orgfullExport.ldif