Yes it is a security violation but with the details (apiName, apiVersion,
apiProvider, description, subscribedTier, status) that he can get the
security threat is minimal.
Also we have added a logic to check if the request is from same tenant
domain.
On Thu, Oct 17, 2013 at 10:53 AM, Nuwan Dias <nuw...@wso2.com> wrote:
> This means that anyone having a valid user account can login and retrieve
> subscription information of another user right? If so, isn't it a security
> violation?
>
> Thanks,
> NuwanD.
>
>
> On Thu, Oct 17, 2013 at 10:45 AM, Punnadi Gunarathna <punn...@wso2.com>wrote:
>
>> Hi All,
>>
>> In API-M 1.5.0 there is a api[1] in [2] which takes application name as
>> the input parameter and returns api information[3]. Moreover it usees the
>> logged in users' username to get the results along with the application
>> name.
>>
>> [1] getSubscriptionByApplication
>> [2]
>> store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag
>> [3] apiName, apiVersion, apiProvider, description, subscribedTier, status
>>
>> But as per the requirement in App Factory, only app owners can subscribe
>> to APIs. Therefore above api can only be invoked when app owner logged in
>> to the system ( API-M has SSO). The problem is when other users logged in
>> to App Factory, there is no way to get API information by using above api.
>>
>> Hence i had a offline chat with Dimuthu and we decieded to modify [2] in
>> such a way that [1] will require another parameter which is "username". So
>> i have modified the api as follows and we will use this as a custom patch.
>>
>> if (action == "getSubscriptionByApplication") {
>> var appname = request.getParameter("app");
>> var username = request.getParameter("username");
>> if (!user) {
>> print({
>> error:true,
>> message:msg.error.loginRequired(action)
>> });
>> return;
>> }
>> if(username == null){
>> username = user.username;
>> }else{
>> var externalUserDomain = username.split("@")[1];
>> var loggedInUserDomain = user.username.split("@")[1];
>> if(externalUserDomain.trim() != loggedInUserDomain.trim()){
>> obj = {
>> error:true,
>> apis:"Logged in user and requested user are from
>> different domains"
>> }
>> return;
>> }
>> }
>>
>> mod = jagg.module("subscription");
>> try{
>> result = mod.getAPISubscriptionsForApplication(username,appname);
>> } catch (e) {
>> log.error("Error while creating application \n" + e.message);
>> throw "Error while creating application";
>> }
>> if (result.error) {
>> obj = {
>> error:result.error,
>> message:msg.error.authError(action, username)
>> };
>> } else {
>> obj = {
>> error:false,
>> apis:result.subscriptions
>> }
>> }
>> print(obj);
>> }else {
>> print({
>> error:true,
>> message:msg.error.invalidAction(action)
>> });
>> }
>>
>> --
>> Thanks and Regards,
>>
>> Punnadi Gunarathna
>> Senior Software Engineer,
>> WSO2, Inc.; http://wso2.com <http://wso2>
>> Blog: http://hi-my-world.blogspot.com/
>> Tel : 94 11 214 5345
>> Fax :94 11 2145300
>>
>>
>>
>> <http://lalajisureshika.blogspot.com/>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Nuwan Dias
>
> Senior Software Engineer - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729
>
--
Thanks and Regards,
Punnadi Gunarathna
Senior Software Engineer,
WSO2, Inc.; http://wso2.com <http://wso2>
Blog: http://hi-my-world.blogspot.com/
Tel : 94 11 214 5345
Fax :94 11 2145300
<http://lalajisureshika.blogspot.com/>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
