After I have enabled the "Use sessid" options, if I call any service method with a random string as the session id, the services_method_call method do not verify for a valid session id. It only checks for an empty arg as session id.
I am providing a patch for it.

@@ -404,6 +404,9 @@
       return services_error(t('Invalid sessid.'));
     }
     $session_backup = services_session_load($sessid);
+    if (empty($session_backup)) {
+      return services_error(t('Invalid sessid.'));
+    }
   }
   
   // Check access

Cheers!

CommentFileSizeAuthor
services.module.diff266 bytesbrutuscat

Comments

marcingy’s picture

Status: Patch (to be ported) » Needs review
gdd’s picture

Status: Needs review » Closed (won't fix)

As long as it does not treat the session as an actual authenticated or privileged user, and simply treats them as anonymous, then I don't see any reason to fix this.