Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Not Having Any Permission Means The Api User Has All Api Access? Rate Topic   - - - - -

 
  • kadenmonlab
  • Newbie
  • Trial users
  • Join Date: 11-Dec 15
  • 7 posts

Posted 14 February 2019 - 07:15 AM #1

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges. 

 

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;

    if ($user_id <= 0) {
        return false;
    }

    if (fn_allowed_for('ULTIMATE:FREE')) {
        return true;
    }

    if (!isset($user_access[$user_id])) {
        $sql = <<<SQL
SELECT ?:usergroup_privileges.privilege
 FROM ?:usergroup_links
 LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
 WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
        $user_access[$user_id] = db_get_fields($sql, $user_id, 'A');
    }

    if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
        return true;
    }

    return false;
}


 
  • soft-solid
  • Junior Member
  • Members
  • Join Date: 19-Apr 10
  • 577 posts

Posted 14 February 2019 - 07:58 AM #2

Hello.
 
Report to the Simtech
 
Best regards
Robert.

Team of SoftSolid
cs-cart.pl

 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3794 posts

Posted 14 February 2019 - 12:01 PM #3

Yes, this is a default functionality. Adding admin to a usergoup limits account privileges to the ones, specified for the usergroup. If admin is not added to any usergoup he/she will have all privileges.

 

 

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges. 

 

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;

    if ($user_id <= 0) {
        return false;
    }

    if (fn_allowed_for('ULTIMATE:FREE')) {
        return true;
    }

    if (!isset($user_access[$user_id])) {
        $sql = <<<SQL
SELECT ?:usergroup_privileges.privilege
 FROM ?:usergroup_links
 LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
 WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
        $user_access[$user_id] = db_get_fields($sql, $user_id, 'A');
    }

    if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
        return true;
    }

    return false;
}

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11174 posts

Posted 15 February 2019 - 06:20 AM #4

Same applies for all other admin privileges.  if you want to restrict access you need to manage the user with an admin group and its associated privileges.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • kadenmonlab
  • Newbie
  • Trial users
  • Join Date: 11-Dec 15
  • 7 posts

Posted 18 February 2019 - 12:52 AM #5

Great

 

Thank you all :)