Yes it is a security violation but with the details (apiName, apiVersion, apiProvider, description, subscribedTier, status) that he can get the security threat is minimal. Also we have added a logic to check if the request is from same tenant domain.
On Thu, Oct 17, 2013 at 10:53 AM, Nuwan Dias <[email protected]> wrote: > This means that anyone having a valid user account can login and retrieve > subscription information of another user right? If so, isn't it a security > violation? > > Thanks, > NuwanD. > > > On Thu, Oct 17, 2013 at 10:45 AM, Punnadi Gunarathna <[email protected]>wrote: > >> Hi All, >> >> In API-M 1.5.0 there is a api[1] in [2] which takes application name as >> the input parameter and returns api information[3]. Moreover it usees the >> logged in users' username to get the results along with the application >> name. >> >> [1] getSubscriptionByApplication >> [2] >> store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag >> [3] apiName, apiVersion, apiProvider, description, subscribedTier, status >> >> But as per the requirement in App Factory, only app owners can subscribe >> to APIs. Therefore above api can only be invoked when app owner logged in >> to the system ( API-M has SSO). The problem is when other users logged in >> to App Factory, there is no way to get API information by using above api. >> >> Hence i had a offline chat with Dimuthu and we decieded to modify [2] in >> such a way that [1] will require another parameter which is "username". So >> i have modified the api as follows and we will use this as a custom patch. >> >> if (action == "getSubscriptionByApplication") { >> var appname = request.getParameter("app"); >> var username = request.getParameter("username"); >> if (!user) { >> print({ >> error:true, >> message:msg.error.loginRequired(action) >> }); >> return; >> } >> if(username == null){ >> username = user.username; >> }else{ >> var externalUserDomain = username.split("@")[1]; >> var loggedInUserDomain = user.username.split("@")[1]; >> if(externalUserDomain.trim() != loggedInUserDomain.trim()){ >> obj = { >> error:true, >> apis:"Logged in user and requested user are from >> different domains" >> } >> return; >> } >> } >> >> mod = jagg.module("subscription"); >> try{ >> result = mod.getAPISubscriptionsForApplication(username,appname); >> } catch (e) { >> log.error("Error while creating application \n" + e.message); >> throw "Error while creating application"; >> } >> if (result.error) { >> obj = { >> error:result.error, >> message:msg.error.authError(action, username) >> }; >> } else { >> obj = { >> error:false, >> apis:result.subscriptions >> } >> } >> print(obj); >> }else { >> print({ >> error:true, >> message:msg.error.invalidAction(action) >> }); >> } >> >> -- >> Thanks and Regards, >> >> Punnadi Gunarathna >> Senior Software Engineer, >> WSO2, Inc.; http://wso2.com <http://wso2> >> Blog: http://hi-my-world.blogspot.com/ >> Tel : 94 11 214 5345 >> Fax :94 11 2145300 >> >> >> >> <http://lalajisureshika.blogspot.com/> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Nuwan Dias > > Senior Software Engineer - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > -- Thanks and Regards, Punnadi Gunarathna Senior Software Engineer, WSO2, Inc.; http://wso2.com <http://wso2> Blog: http://hi-my-world.blogspot.com/ Tel : 94 11 214 5345 Fax :94 11 2145300 <http://lalajisureshika.blogspot.com/>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
