Page 1 of 1
should new api expose settings in /zm/api/configs.json to user that has system setting to "none"
Posted: Tue Mar 22, 2016 11:45 pm
by kevin186
I was poking around with the new api to see what info is exposed, specifically ZM_PATH_ZMS, because I am thinking about rebuilding my app. I created a regular user that does not have admin access by setting system to "none," along with the other options set to "view." When visiting my zoneminder installation and manually putting view=options, I received the expected message that I did not have permissions. When visiting the api/configs.json, I was able to view all of the internal settings. It seems like that user should not be able to pull that data and view it. Is that how it is supposed to be?
ubuntu 15
zm 1.29
Re: should new api expose settings in /zm/api/configs.json to user that has system setting to "none"
Posted: Wed Mar 23, 2016 9:17 am
by Glyphs
As far as I am aware, right now the API does not care about user permissions and will return the same information as long as you're authenticated.
Re: should new api expose settings in /zm/api/configs.json to user that has system setting to "none"
Posted: Wed Mar 23, 2016 12:06 pm
by asker
In general, the original APIs had no role based security implemented - once you are logged in with any id - you are kind and master.
I've been adding security over the past few months - this one is still TBD. Please keep pointing out other areas as you come by them (Please apply the latest changes to security here
https://github.com/ZoneMinder/ZoneMinder/pull/1336)
thx