ACL restrictions not applied when accessing through the JSONRPC API.
Description
User who are only allowed to read data for users in a subdirectory, can read all users in the directory starting from root.
Distribution Name and Version
Debian, Ubuntu and whatever runs demo.fusiondirectory.org
FusionDirectory Version
1.2, 1.2-fixes
PHP version used
Whatever runs demo.fusiondirectory.org
Origin of php packages
Whatever runs demo.fusiondirectory.org
Steps to Reproduce
- Give a user in a subdirectory access to read users in the same subdirectory.
- Confirm that user can read data for users in own subdirectory.
- Call method ls() using the JSONRPC.
- FD returns data for all users in the directory.
Using a Python wrapper I'm working on, the staps are: fd = FusionDirectory.Directory('http://demo.fusiondirectory.org/fusiondirectory/jsonrpc.php', 'average-joe', '123456') fd.logIn() users = fd.listUsers() for user in users: print(users[user]['dn'])
Expected behavior:
Only show data for users in the subdirectory to which access has been granted.
Actual behavior:
Data for all users in the directory are returned.
Reproduces how often: 100%
Additional Information
Added ldap dump from demo.fusiondirectory.orgfullExport.ldif