Not Having Any Permission Means The Api User Has All Api Access?

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges.

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;
if ($user_id <= 0) {
    return false;
}

if (fn_allowed_for('ULTIMATE:FREE')) {
    return true;
}

if (!isset($user_access[$user_id])) {
    $sql = <<

SELECT ?:usergroup_privileges.privilege
FROM ?:usergroup_links
LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
$user_access[$user_id] = db_get_fields($sql, $user_id, ‘A’);
}

if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
    return true;
}

return false;

}

Hello.
Report to the Simtech
Best regards
Robert.

Yes, this is a default functionality. Adding admin to a usergoup limits account privileges to the ones, specified for the usergroup. If admin is not added to any usergoup he/she will have all privileges.

There is an administrator user for only api use. The user does not belong to Administrator User Group and any others. Every Api Entity has privileges, but this api user can access all api without any permissions because the function below return true if the user does not have any privileges.

Is this intended?

/**
 * Check if specified user has access to the specified permission
 *
 * @param int $user_id - user id
 * @param string $permission - the permission, should be checked
 * @return boolean true if the user has access, false otherwise
 */
function fn_check_user_access($user_id, $permission)
{
    static $user_access = array();
    $user_id = (int) $user_id;
if ($user_id <= 0) {
    return false;
}

if (fn_allowed_for('ULTIMATE:FREE')) {
    return true;
}

if (!isset($user_access[$user_id])) {
    $sql = <<

SELECT ?:usergroup_privileges.privilege
FROM ?:usergroup_links
LEFT JOIN ?:usergroup_privileges ON (?:usergroup_privileges.usergroup_id = ?:usergroup_links.usergroup_id)
WHERE ?:usergroup_links.user_id = ?i AND ?:usergroup_links.status = ?s
SQL;
$user_access[$user_id] = db_get_fields($sql, $user_id, ‘A’);
}

if (empty($user_access[$user_id]) || in_array($permission, $user_access[$user_id])) {
    return true;
}

return false;

}

Same applies for all other admin privileges. if you want to restrict access you need to manage the user with an admin group and its associated privileges.

Great

Thank you all :)

Is there any way that I can exclude API calls from "Access restrictions" addon?

I use access restrictions from specifiec IP for the admin panel.

Most services recenty are in AWS|Cloudflare or other multi IP servers an is impossible to exclude all of their IPs.

Can you clarify? Are you wanting to enable API access for IP addresses that are excluded by the Access Restrictions addon?

I have access restriction add on enabled and I allow only the IP that I have whitelisted to enter in admin panel.

Now when I call the API link it gives cannot access this area.
When I turn off the add on access restriction I get the API results

Sent from my iPhone using Tapatalk

The problem is, the platform that I need to use to call API from my cs cart, is at AWS server and I cannot whitelist the IPs because there are too many that AWS use.

So is there any way that I can exclude the API calls from the access restrictions add on. That means my admin area is still restricted but the API calls not (open to public)

Sent from my iPhone using Tapatalk

Not without some custom coding. However, if you exclude the API, that somewhat mitigates your use of Access Restrictions.

Ok, thank you for your reply and you time

Sent from my iPhone using Tapatalk

app/addons/access_restrictions/func.php

find the fn_access_restrictions_user_init function and try to add the following code there

if (defined('API')) {
    return true;
}

(!) Not tested