CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • ACLs & APIs
Pages: 1 [2]

Author Topic: ACLs & APIs  (Read 5364 times)

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACLs & APIs
May 16, 2010, 01:03:53 am
Yeah, I think it's a security bug too. It basically means a clever user (who reads our forums) who has access to CiviCRM on a given site can get the contact details of any contact using the REST URL - even where the administrator has specifically chosen not to give them access.

Permissions set through the ACL hook can also be breached using the AJAX API.

I'm aware of at least half a dozen sites that give users permission to access users through ACLS AND give them access CiviCRM.

I'm not 100% sure how one would
Quote
use a user that has the right permissions.
in code - set UID? Or I guess it could be only allowed through php & not REST?
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACLs & APIs
May 16, 2010, 02:27:36 am
Hi,

Was trying to imagine in which case it would be a regression: if one "limited" user fetches via the rest the list and really wants the full list of contacts (as of today), then it will break the expected behaviour. In that case, the fix is simply to change the access rights of the user to get access to all the contacts, not the subset (by changing the role or permission of the user in drupal)

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACLs & APIs
May 16, 2010, 06:42:14 am

i think you need both options. Allowing the API to fetch a set of contacts "outside" the scope of the current user.

Check this spec out:

http://wiki.civicrm.org/confluence/display/CRM/CiviCRM+for+Canvassing+and+GOTV

in the above spec, the auth user is presented a list of users from a group that they dont have edit/view access to. You are allowing this user to do a limited subset of operations via module code (in this case create an activity). If the API did not allow you access outside your current scope, you will not be able to write this module :)

maybe, we need some functions exposed via REST but not all?

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACLs & APIs
May 16, 2010, 08:28:29 am
See the need better, but still not convinced a low level api that bypass the ACL should be exposed, abusing it would be too easy.

Shouldn't it be better to have an api specifically for that? that limit the user to fetch only from the "to be canevassed" groups or whatever requested for the GOTV/canvassing. Kind of like 'getting the list of participants' that checks that it's only the participants and not any contact, and only from the events that allows the list of participant.

(the participants list isn't an api, and a not so good example, but the point is that we shouldn't expect the uri of the api request not to be modified as only security mesure, I'm quite sure being able to fetch the high level VIP donors just cause  I registered as volunteer for canvassing and I'm able to change the group id on the uri is not too good ;)
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACLs & APIs
May 16, 2010, 02:33:56 pm
OK, so I see two issues:

1) that too much information is currently exposed through the AJAX call at the moment and there is an existing security issue around that. Also, changing this behaviour could affect existing code.

2) that sometimes you do want to be able to get information beyond the current user's permissions to massage through code. In this second case I have used the profile api (not part of core at the moment) for this to use profiles to determine the users that should be shown & the fields that should be exposed. This probably would work in the example you have given but not sure it's universal
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACLs & APIs
May 16, 2010, 08:23:57 pm

eileen:

since u seem to need this, can you submit a patch to to add permissioning to the current search api call?

i suspect we'll tackle the second case when we get to it? maybe have an internal non-rest (but programmatically accessible) call (which a variation of apiQuery can support)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACLs & APIs
May 16, 2010, 08:25:22 pm
OK - so it's agreed the API call *should* respect permissions. If we implement this will it break any existing sites out there?
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACLs & APIs
May 17, 2010, 08:44:51 pm
Hi,

I have suggested to my client that they sponsor a patch for this since it will be helpful to them (but they do have another work-around option which is no less coding time but the coding would be done by a volunteer.)

Lobo suggested a budget of 20 hours including some contribution to the test case to allow it to go into core & this is what I have put to them. I have also logged it so that if we don't any buy-in from them it doesn't get completely lost: http://issues.civicrm.org/jira/browse/CRM-6266

I don't think they are that keen but if someone else wants to put in as well they might go part-way?
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute
Pages: 1 [2]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • ACLs & APIs

This forum was archived on 2017-11-26.