Jump to content

 

Wilko

Member Since 14 Feb 2013
Offline Last Active Nov 03 2016 03:51 PM
-----

Posts I've Made

In Topic: Api Security Issue - Returning Highly Sensitive Data

03 November 2016 - 12:17 PM

Ok - in the absence of any action / response - I have simply created a proxy to pull the data on the server and filter out what I don't want over the wire.


In Topic: Api Security Issue - Returning Highly Sensitive Data

21 September 2016 - 09:53 AM

Any update on this?


In Topic: Api - Security

14 September 2016 - 11:22 AM

Update:

 

I created a new user group "API Restricted" with only "View Orders" privileges enable and edited my "API User" to only be a member of that group by "declining" membership of any other group including the Administrator group.

 

Same output displayed... By definition the API User has to be an administrator to enable the "API" access in the first place.

 

That seemed a very logical way forward but seems to have no effect - I will play around with it a bit more though. I did close all browser instances first in case it picked up my root admin logged in status etc.


In Topic: Api - Security

14 September 2016 - 11:04 AM

 

 

It's all good.

 

Cool :)

 

 

Note that an admin user can already be limited in their scope of information via their user group and the "permissions" that are enabled for that user group.  Hence using the api credentials of a restricted user would provide restricted output versus using your "root" admin account which is basically unrestricted.  Whether that includes the payment provider settings or not, I'm not sure.

 

That's a very good point - I will try that in a minute and see what output I get...

 

 

I will try to add an "UNTESTED" line next time I provide a code segment that is off the top of my head versus being lifted from an already proven implementation.  And yes, I do like to generate some revenue off of consulting services which is my business.  But I also try to help where possible when it doesn't require a big investment of time on my part since time is what I sell.

 

Of course! I completely understand that...


In Topic: Api Security Issue - Returning Highly Sensitive Data

13 September 2016 - 02:47 PM

Thank you... I look forward to the response.