i just updated to 2.1 due to the security issue.
however i went from being able to run system.connect to get a valid sessid.
to no longer authenticating.
since user.login requires a sessid, this will break everything i need.

setup is pressflow 6.16.77
services 2.1

just trying to telnet in didn't even allow this.

telnet webdev.thedailyworld.com 80           
Trying 12.9.217.36...
Connected to webdev.thedailyworld.com.
Escape character is '^]'.
POST /services/xmlrpc HTTP/1.0
User-Agent: Frontier/5.1.2 (WinNT)
Host: webdev.thedailyworld.com
Content-Type: text/xml
Content-length: 108

<?xml version="1.0"?>
<methodCall>
<methodName>system.connect</methodName>
<params>
</params>
</methodCall>
HTTP/1.1 200 OK
Date: Wed, 12 May 2010 22:42:16 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/3.1 Python/2.6.4 mod_bwlimited/1.4 mod_jk/1.2.25 PHP/5.2.8
X-Powered-By: PHP/5.2.8
Last-Modified: Wed, 12 May 2010 22:42:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1273704160"
Connection: close
Content-Length: 326
Content-Type: text/xml

<?xml version="1.0"?>
<methodResponse>
  <fault>
  <value>
    <struct>
    <member>
      <name>faultCode</name>
      <value><int>1</int></value>
    </member>
    <member>
      <name>faultString</name>
      <value><string>Access denied</string></value>
    </member>
    </struct>
  </value>
  </fault>
</methodResponse>
Connection closed by foreign host.
CommentFileSizeAuthor
#46 services_menu_views.jpg51.41 KBhyperbear
#43 797448.patch2.39 KBgdd
#40 797448.patch985 bytesgdd
#15 797448.patch2.04 KBgdd

Comments

marcingy’s picture

Just giving a quick eyeball and I need to speak to heyrocker about this and yes I can see the issue, we either need to add a new permission for system connect in the system services module because at the moment we are calling user_access with no data hence get a FALSE returned or set the access callback is simply TRUE. The immediate fix I can see would be to add line 36 to system_service.module

'#access callback' => TRUE,
marcingy’s picture

Title: auth denied for system.connect? » Incorrect access check for system.connect method
gdd’s picture

I think we will need a solution for user.login and user.logout as well. Those should also be forced always open.

I was looking through the code this morning and while forcing these callbacks to return TRUE (or 'services_acess_menu') is an option, I want to make sure it is the best one, and do some thorough testing before rolling it out. Last thing I want is to create another SA.

This will require rolling another release though.

whytewolf I assume the above temp solution worked for you?

whytewolf’s picture

@heyrocker I have not tested it yet. I only get into the office at 7am PST and had a ton of things in front of the development site I'm using this for.

I will update here when i have more info to update with, but do appreciate the hard work everyone has been putting into this module as it will in the end save me a ton of work.

edit: okay, i tried the fix and it did not work,
instead i received this error

call_user_func_array() [<a href='function.call-user-func-array'>function.call-user-func-array</a>]: First argument is expected to be a valid callback, '1' was given in /home/aberdeen/public_html/sites/all/modules/services/services.module on line 434.
PWG’s picture

Yes, when I call system.connect via the browser, I get that error too.

Then I updated from beta1 to beta2 of AMFPHP and now when I call system.connect via the browser, I get the error:

warning: Missing argument 1 for user_access() in /home/xxxx/public_html/modules/user/user.module on line 482.

PWG’s picture

I re-installed beta1 of amfphp and then set

'#access callback' => 'services_access_menu',

instead of to TRUE since this parameter should be a callable function.

The error then disappears.

My problem with beta2 of amfphp remains, though. Any suggestions?

PWG’s picture

Hmm...However, although system.connect and a lot of other functions work, even though I am back to using beta1 of amfphp, I still get

warning: Missing argument 1 for user_access() in /home/xxx/public_html/modules/user/user.module on line 482.

for some functions. user.logout for example.

gdd’s picture

Yes you will need to do the same thing for user.login and user.logout I believe.

marcingy’s picture

After thinking about this for the evening doing the check via a real access callback is better than just setting the callback to TRUE, just keeps the code tidier and will allow for documentation of that function to explain why it just returns true. Eg Use this if you need to provide open access to services method.

I think the list we have is all need to have open access - connect, login, logout.

whytewolf’s picture

thank you @heyrocker and @PWG, that fixed everything [useing services_access_menu & adding it to user.login]

whytewolf’s picture

I spoke to soon, user.login is still giving access denied.

and i end up with 5 errors in the logs.
session_encode() [<a href='function.session-encode'>function.session-encode</a>]: Cannot encode non-existent session. in /home/aberdeen/public_html/sites/all/modules/services/services.module on line 837.
array_fill() [<a href='function.array-fill'>function.array-fill</a>]: Number of elements must be positive in /home/aberdeen/public_html/includes/database.inc on line 276.
implode() [<a href='function.implode'>function.implode</a>]: Invalid arguments passed in /home/aberdeen/public_html/includes/database.inc on line 276.
array_keys() [<a href='function.array-keys'>function.array-keys</a>]: The first argument should be an array in /home/aberdeen/public_html/modules/user/user.module on line 502.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;)&#039; at line 1 query: SELECT p.perm FROM role r INNER JOIN permission p ON p.rid = r.rid WHERE r.rid IN () in /home/aberdeen/public_html/modules/user/user.module on line 502.

PWG’s picture

So did you

1. Put in

'#access callback' => 'services_access_menu',

for user.login as well? (NOTE: In the user_service module, not in user.module)

2. Re-install user service on the Modules page?

That worked for me.

gdd’s picture

You don't actually have to reinstall the module but you do have to clear cache.

PWG’s picture

I take that back. I do experience the same problem with user.login. Sorry about that.

gdd’s picture

Status: Active » Needs review
StatusFileSize
new2.04 KB

OK attached is a patch for review. Here is how I tested it. I'm trying to make these instructions extremely detailed so that a) people can reproduce the testing environment and b) if there's a problem in my methodology someone can point it out.

I setup a fresh D6 install with nothing but stock Drupal and Services 2.1. The Services modules enabled were

Services
XMLRPC Server
Key Auth
System, Node and User Services.

I configured Services to use Sessions without API Keys. I disabled all permissions for the anonymous user, and made a simple Story node for testing. I used the following script in another sandbox to test.

// Get anon session. system.connect is the only service that does
// not require a sessionid even when you have 'Use Sess ID' checked.
$xmlrpc_url = 'http://mydomain.com/services/xmlrpc';
$anon_session = xmlrpc($xmlrpc_url, 'system.connect');

// Use anon session id to login with authentication
$user = 'user';
$password = 'password';
$authenticated_session = xmlrpc($xmlrpc_url, 'user.login', $anon_session['sessid'], $user, $password);  

// Now we have an authenticated session, and when this ID is passed to services, it will run under that user's permissions
$auth_node = xmlrpc($xmlrpc_url, 'node.get', $authenticated_session['sessid'], '1');

// If this succeeded print the node, otherwise print the error.
if ($auth_node === FALSE) {
  print '<pre>' . print_r(xmlrpc_error(), TRUE) . '<pre>';
}
else {
  print_r($auth_node);
}

// Now try the same thing with the anonymous user.
$anon_node = xmlrpc($xmlrpc_url, 'node.get', $anon_session['sessid'], '1');

// If this succeeded print the node, otherwise print the error.
if ($anon_node === FALSE) {
  print '<pre>' . print_r(xmlrpc_error(), TRUE) . '<pre>';
}
else {
  print_r($anon_node);
}

This is my standard testing script for session authentication, based on the same one I wrote up for the handbook.

So in 2.1 this all fails, because system.connect fails and without that you're nowhere. I then applied the attached patch to 2.1 to the remote server and cleared the remote server's cache. This is important!

Now when I run the above test I get

Array
(
    [nid] => 1
    [type] => story
    [language] => 
    [uid] => 1
    [status] => 1
    [created] => 1273805511
    [changed] => 1273805511
    [comment] => 2
    [promote] => 1
    [moderate] => 0
    [sticky] => 0
    [tnid] => 0
    [translate] => 0
    [vid] => 1
    [revision_uid] => 1
    [title] => Test node for Services
    [body] => Test node for Services
    [teaser] => Test node for Services
    [log] => 
    [revision_timestamp] => 1273805511
    [format] => 1
    [name] => admin
    [picture] => 
    [data] => a:0:{}
    [last_comment_timestamp] => 1273805511
    [last_comment_name] => 
    [comment_count] => 0
    [taxonomy] => Array
        (
        )
 
)
<pre>stdClass Object
(
    [is_error] => 1
    [code] => 1
    [message] => Access denied
)
<pre>

So it all works.

Would love to see some testing of this patch so we can get this fixed.

Thanks all.

gdd’s picture

Just to be through I also ran the above code against user.get, since it is an example of a service that uses the default access callback rather than specifying a custom one. This also ran properly (auth user got the user info, anon user did not.)

marcingy’s picture

From a code angle this looks fine - maybe we need some docs on the services_access_menu callback only because in 6 months time we are going to have a why is it doing that moment.

whytewolf’s picture

ok, I tried the patch on a separate install on one of my own servers, and the good news is it worked there.
I don't have the site access at this moment to test on the site i was having issues with.
I will try in the morning when i get in.

I"ll start by completely uninstalling the services system i have and starting from scratch.

and see how that goes

PWG’s picture

So the patch inserts

'#access callback' => 'services_access_menu', for system.connect, user.login and user.logout as suggested.

This is the change both I and whytewolf implemented and still user.login won't work (the exact error described by whytewolf above). Could you please explain why? Is it because we use API keys for user.login?? I'd really like to know what the problem is since I cannot get user.login up and running on my site.

sitron2’s picture

i installed the patch and system.connect works ok.
I still have an issue with menu.get. From the services admin page, when calling menu.get without any menu_id i get the result but with a warning: "Missing argument 1 for user_access() in .../modules/user/user.module on line 482.". (with menu_id it's ok, using sessid and no key auth.).
Is there a similar patch to apply to menu.get?

gdd’s picture

PWG are you using API Keys AND Sessions both together? Or just API Keys?

PWG’s picture

Both.

PWG’s picture

I just realised user.logout -via the service browser - generates the error

warning: Missing argument 1 for user_access() in /home/xxxx/public_html/modules/user/user.module on line 482.

The result reported from the function is "1"

PWG’s picture

Of all the stupid, stupid things to do! I was continuously uploading the wrong versions of the module files.
I'll do some more testing, but I think my problems with user.login/logout just went away.

wangzhaocheng’s picture

Assigned: Unassigned » wangzhaocheng

I am also!!!!

Today,I update the Services module to version"6.x-2.1".

I test the "system.connect" , the Return Value is :
["#error"]=> bool(true) ["#message"]=> string(13) "Access denied"

I used API Keys AND Sessions both together.
But "system.connect" Does not require authentication....

WHO CAN TELL ME WHY ??????????????????????????????????????????????????????

wangzhaocheng’s picture

I am also!!!!

Today,I update the Services module to version"6.x-2.1".

I test the "system.connect" , the Return Value is :
["#error"]=> bool(true) ["#message"]=> string(13) "Access denied"

I used API Keys AND Sessions both together.
But "system.connect" Does not require authentication....

WHO CAN TELL ME WHY ??????????????????????????????????????????????????????

wangzhaocheng’s picture

I am also!!!!

Today,I update the Services module to version"6.x-2.1".

I test the "system.connect" , the Return Value is :
["#error"]=> bool(true) ["#message"]=> string(13) "Access denied"

I used API Keys AND Sessions both together.
But "system.connect" Does not require authentication....

WHO CAN TELL ME WHY ??????????????????????????????????????????????????????

gdd’s picture

@wangzhaocheng please stop spamming this issue. If you want to help, test the patch.

@PWG I test sessions + api keys this morning and it worked fine, let me know if you're good to go

marcingy’s picture

Assigned: wangzhaocheng » Unassigned
whytewolf’s picture

okay, tested on the server i was having issues with, and it worked

deleted the services directory i had, untared a fresh copy of services 2.1, downloaded the patch into that directory, ran patch -p0 < [patch], cleared my cache, tested, and it worked.

not sure whats different tho, I do clear the cache between every test. just to be safe.

jdwfly’s picture

Status: Needs review » Reviewed & tested by the community

Patch from #15 clears up the issue. Just make sure to clear the cache after patching.

gdd’s picture

Status: Reviewed & tested by the community » Fixed

This has been committed and should appear in the next dev release. I am going to wait a couple days to make sure no new issues crop up, then I will roll a new release by Monday.

Thanks all for your help.

wangzhaocheng’s picture

@heyrocker I'm so sorry it.

Please forgive me for stupid behavior. ^_^

I am a rookie,I am very anxious.

My trouble is:
【Regardless of any method calls are returned the same value:“Access denied”】

I would also like to know,what's the patch to test ???

Thank you !!!

Looking forward to reply

gdd’s picture

Please use the patch in comment #15 or download the current -dev version of the module for testing.

PWG’s picture

heyrocker: Yes, I'm good to go!

edsko’s picture

Just reporting that I experienced the same problem and that the patch of #15 works for me. Thanks!

wangzhaocheng’s picture

Status: Fixed » Needs review

#15: 797448.patch queued for re-testing.

marcingy’s picture

Status: Needs review » Fixed

Please do not change status when a maintainer has marked stuff as fixed.

hyperbear’s picture

Doesn't the menu_service.module also need '#access callback' => 'services_access_menu' ? I applied the patch, and tried menu.get which gave me an Access denied error. Adding the access callback line to menu_service.module removed the access denied error, but doesn't give me any results. The result is empty..

Anyone else having troubles with loading menus with as3?

gdd’s picture

StatusFileSize
new985 bytes

I think a better option here would be to add an access permission for this service. The base function menu_tree_all_data() already checks user_access() so I don't think any protected data can be retrieved, I still think that having a permission here is prudent.

Can you test the attached patch? You will have to clear cache and give the appropriate user permission to 'get menu information'.

gdd’s picture

Status: Fixed » Needs review
sitron2’s picture

menu patch working for me. Thanks!
Another question: i use amfphp with sessid and no auth. key, is it normal that i can specify any string as sessid ("cool" would work as well as a valid sessid). I think it's odd that i *have* to specify a String but it can be anything.

gdd’s picture

StatusFileSize
new2.39 KB

I found two taxonomy services in the same situation and added access checks for them as well. Attached is the final patch which I will commit today.

gdd’s picture

Status: Needs review » Fixed

@sitron2 I don't know if it is "normal" but it is the expected behavior. These sessions are assigned to the anonymous user just like any other unknown or new session so I've never considered it a problem worth fixing.

sitron2’s picture

ok, thanks for the explanation.

hyperbear’s picture

StatusFileSize
new51.41 KB

Thanks for the quick patch heyrocker!
menu.get works now with ordinary menus, but I still have problems with one menu where I've added links to views on the first menu level. ie attached image. Using AS3 it returns nothing (no error, no object, no nothing), but testing the same menu in drupal (services/browse/menu.get) I get the whole menu-tree as intended.

titouille’s picture

Hello,

I installed the #15 patch, but with some "system" method I continue to have warnings :

warning: call_user_func_array() expects parameter 2 to be array, null given in /sites/all/modules/services/services.module on line 434.

when I call system.connect, system.getServices and system.cacheClearAll...

It seems the warning is because theses methods doesn't have arguments for the call_user_func_array to test access callback

If someone have an idea on how to fix this problem...

gdd’s picture

Please upgrade to 2.2 and clear cache.

titouille’s picture

heyrocker, it's done... 2.2 installed, cache cleared in /admin/settings/performance, /admin/settings/performance/boost and even in database cache table (all entries) but problem persist :-(

attiks’s picture

this bug apparently depends on platform / php version, we fixed it like this (in services.module)

line 434: if (call_user_func_array($method['access callback'], (array)$access_arguments) != TRUE) {

line 445: $result = call_user_func_array($method['callback'], (array)$args);

gdd’s picture

Could you tell me wabout your hosting information and what versions of things you're using? it would be nice to get that sorted out if it really is a platform/version problem.

jmseigneur’s picture

I think that "warning: call_user_func_array() expects parameter 2 to be array, null given" happens due to incompatibility with PHP 5.3. Do you run PHP 5.3?

attiks’s picture

#52, you're right, the one that wasn't working is running php 5.3. The other one 5.2

gateway69’s picture

Im also running PHP Version 5.3.2-1ubuntu4.2 and getting warning: call_user_func_array() expects parameter 2 to be array, null given in /var/www/sites/all/modules/services/services.module on line 434. when I go to system.connect and click on call method button..

So far this happens to:

system.getServices
system.cacheClearAll

using Services 6.x-2.2

gateway69’s picture

Version: 6.x-2.1 » 6.x-2.2
Status: Fixed » Needs work
gdd’s picture

Status: Needs work » Fixed

This is a PHP 5.3 issue, and I'd like to move all discussion over to #809226: PHP 5.3 and Services Issues with call_user_func_array

Thanks

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

iTiZZiMO’s picture

Version: 6.x-2.2 » 6.x-3.x-dev

same issue for services 3.x

i had to disable the following code part (line 139, services.runtime.inc)

  /** Call default or custom access callback
  if (call_user_func_array($controller['access callback'], $access_arguments) != TRUE) {
    global $user;
    return services_error(t('Access denied for user !uid "@user"', array(
      '!uid'  => $user->uid,
      '@user' => isset($user->name) ? $user->name : 'anonymous',
    )), 401);
  }
  **/

no i can get a session id via path/to/endpoint/system/connect

is there any possibilty to fix this issue?

aJudoChopChop’s picture

#50 Solved it for me! Strong cast that punk. Thanks attics!