Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Not Having Any Permission Means The Api User Has All Api Access? Rate Topic   - - - - -

 

Posted 14 February 2019 - 07:15 AM #1

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges. 

 

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;

    if ($user_id <= 0) {
        return false;
    }

    if (fn_allowed_for('ULTIMATE:FREE')) {
        return true;
    }

    if (!isset($user_access[$user_id])) {
        $sql = <<<SQL
SELECT ?:usergroup_privileges.privilege
 FROM ?:usergroup_links
 LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
 WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
        $user_access[$user_id] = db_get_fields($sql, $user_id, 'A');
    }

    if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
        return true;
    }

    return false;
}


 
  • soft-solid
  • Junior Member
  • Authorized Reseller
  • Join Date: 19-Apr 10
  • 1478 posts

Posted 14 February 2019 - 07:58 AM #2

Hello.
 
Report to the Simtech
 
Best regards
Robert.

Team of SoftSolid
cs-cart.pl, marketplace

We specialize in creating the highest quality addons, safe, useful and flexible


 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3817 posts

Posted 14 February 2019 - 12:01 PM #3

Yes, this is a default functionality. Adding admin to a usergoup limits account privileges to the ones, specified for the usergroup. If admin is not added to any usergoup he/she will have all privileges.

 

 

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges. 

 

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;

    if ($user_id <= 0) {
        return false;
    }

    if (fn_allowed_for('ULTIMATE:FREE')) {
        return true;
    }

    if (!isset($user_access[$user_id])) {
        $sql = <<<SQL
SELECT ?:usergroup_privileges.privilege
 FROM ?:usergroup_links
 LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
 WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
        $user_access[$user_id] = db_get_fields($sql, $user_id, 'A');
    }

    if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
        return true;
    }

    return false;
}

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12119 posts

Posted 15 February 2019 - 06:20 AM #4

Same applies for all other admin privileges.  if you want to restrict access you need to manage the user with an admin group and its associated privileges.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 

Posted 18 February 2019 - 12:52 AM #5

Great

 

Thank you all :)



 
  • sioulisn
  • Junior Member
  • Members
  • Join Date: 06-Apr 09
  • 91 posts

Posted 23 October 2020 - 05:39 PM #6

Is there any way that I can exclude API calls from "Access restrictions" addon?

I use access restrictions from specifiec IP for the admin panel.

Most services recenty are in AWS|Cloudflare or other multi IP servers an is impossible to exclude all of their IPs.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12119 posts

Posted 23 October 2020 - 06:13 PM #7

Can you clarify?  Are you wanting to enable API access for IP addresses that are excluded by the Access Restrictions addon?


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • sioulisn
  • Junior Member
  • Members
  • Join Date: 06-Apr 09
  • 91 posts

Posted 23 October 2020 - 06:29 PM #8

I have access restriction add on enabled and I allow only the IP that I have whitelisted to enter in admin panel. Now when I call the API link it gives cannot access this area. When I turn off the add on access restriction I get the API results Sent from my iPhone using Tapatalk

 
  • sioulisn
  • Junior Member
  • Members
  • Join Date: 06-Apr 09
  • 91 posts

Posted 23 October 2020 - 06:33 PM #9

The problem is, the platform that I need to use to call API from my cs cart, is at AWS server and I cannot whitelist the IPs because there are too many that AWS use. So is there any way that I can exclude the API calls from the access restrictions add on. That means my admin area is still restricted but the API calls not (open to public) Sent from my iPhone using Tapatalk

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12119 posts

Posted 23 October 2020 - 06:49 PM #10

Not without some custom coding.  However, if you exclude the API, that somewhat mitigates your use of Access Restrictions.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • sioulisn
  • Junior Member
  • Members
  • Join Date: 06-Apr 09
  • 91 posts

Posted 23 October 2020 - 07:04 PM #11

Ok, thank you for your reply and you time Sent from my iPhone using Tapatalk

 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 22386 posts

Posted 26 October 2020 - 05:03 AM #12

app/addons/access_restrictions/func.php

 

find the fn_access_restrictions_user_init function and try to add the following code there

if (defined('API')) {
    return true;
}

(!) Not tested


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 1210     Multi-Vendor              USD 1250    Multi-Vendor PLUS           USD 3100 (2775)
CS-Cart Ultimate  USD 4025     CS-Cart + YOUPI      USD 1459      Multi-Vendor Ultimate       USD 7500 (6000)