Posted by yajnin on September 6, 2009 at 8:25am
Jump to:
| Project: | Services |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
What is the recommended method for disallowing a user to impersonate another user when saving nodes and comments?
In JavaScript it's relatively easy to hack a node / comment object and post content as any user id. Even without the permission to "administer nodes".
One solution would be to combine two service calls when saving. One that verifies the identity and immediately fires the save thereafter. I'd rather not do this. // Another solution is to clone the node.save service and build in an automatic user id filler. This doesn't seem to maintain the flexibility of the current service.
This issue should be moot. Shouldn't the "administer nodes" permission control this ability?
Comments
#1
#2
I don't really get this issue. As far as I know there is no way in javascript to change the authored by information (and make it actually save) without administer nodes perms, and if there is you should contact the security team as it is a serious issue.
As far as I know there is also no way in services to do this, unless your services is set up such a way to allow it. If there is, again, this is a security issue and should be taken care of through that channel.
#3
#4
Automatically closed -- issue fixed for 2 weeks with no activity.
#5
#6
I'm going through my notes and was able to replicate the issue that confused me.
That plus drinks may have resulted in this post.
I think I may have been spun around in a loop trying to solve the original problem.
But that original problem was never solved.
// Any thoughts on this?
As an administrator I can node.save new nodes, and node.save existing nodes, no problem.
As non-administrator account, not so much.
As a editor I can node.save new nodes, but cannot node.save existing nodes. Problem.
It's not a permissions issue. I've tested it with EVERY permission enabled, except one.
It's narrowed to "Administer Nodes" permission. Without it, a non administrator gets Access Denied when attempting to edit even their own node.
The only work around was to switch "Administer Nodes" --> w/ the unfortunate side effect being that this allows an editor access to all content.
//
Question is: what is administering nodes doing to my edit service?
There must be something I'm missing from the node.save node object, on edit.
Here's my test node objects:
save: {
method: 'node.save',
node: {
type: 'page',
title: 'New Page',
nid: 0,
uid: uid,
name: username,
status: 1,
created: timestamp
}
}
edit: {
method: 'node.save',
node: {
title 'Edited Title',
nid: nid,
uid: uid,
name: username,
changed: timestamp
}
}
#7
#8
#9
I just ran through an install an solved it. I added type and status key pairs to the edit object.
save: {
method: 'node.save',
node: {
type: 'page',
title: 'New Page',
nid: 0,
uid: uid,
name: username,
status: 1,
created: timestamp
}
}
edit: {
method: 'node.save',
node: {
type: 'page',
title 'Edited Title',
nid: nid,
uid: uid,
name: username,
status: 1,
changed: timestamp
}
}
It worked.
The system appears to be more strict for non-administrators who are creating node objects.
You'd think it would be the same, based on the permissions table.
Sort of an anomaly.
//
I don't know if this explains my original post, but it solves my original problem.
Thanks for your patience :)