What about Services security?

Events happening in the community are now at Drupal community events on www.drupal.org.
csiknor's picture
Posted by csiknor on November 5, 2007 at 10:56am

Hi!

(Unfortunately I couldn't find any information about the subject so I've decided to ask the group memebers wheter they can help.)

I'm creating a flex application using Drupal, Services and AMFPHP. The whole bunch is looking good, but I've a small problem with the security. It is OK to require API KEY and SESSION ID from each request to gain security, but.

My problem is, AFAIK, I can save a node without the right permission. Here's the workflow:

  1. SESSION ID required - set in the Services preferences
  2. access services enabled for anonymous - be able to call services
  3. system.connect() - to get sessionId
  4. node.save(sessionId, node) - without login
  5. the node is created

I don't think it should be saved because anonymous user can only load a node, not save them. After login, save should be permitted.

Can you help me where's the problem, and if there's a way to solve it, then how can I make it.

Thanks,
Norbert

Categories: , , ,

Comments

This doesn't help you much,

Posted by Gambler on December 14, 2007 at 11:24pm
Gambler's picture

This doesn't help you much, but I am curious how you set up the return when using the Session ID.

Every session has a session ID, perhaps you are just getting with the flawed keys and overlapping with another session? You could require the app to report what user is working right now and perhaps the users password. That would have to be a custom service though.

I might be wrong but...

Posted by redben on March 15, 2008 at 3:35pm
redben's picture

It seems like Services module does not integrate Drupal node access API http://api.drupal.org/api/group/node_access/6
Someone correct me please !

Into the code

Posted by redben on March 15, 2008 at 3:49pm
redben's picture

(Waw, first time i look into some drupal code)
I looked at the node_service and at first sight it doesn't seem to check for permissions.

/**
* Returns a specified node.
*/
function node_service_load($nid, $fields = array()) {
$node = services_node_load(node_load(array('nid' => $nid)), $fields);

if (!$node) {
return services_error(t("Could not find the node."));
}

return $node;
}

I had a look to services_node_load too ( which is in the services.module) and could not find any code related to node access permissions. It seems to directly call node module's node_load.
Actually i don't know how (and at wich level) node access is handled in drupal. May be somebody can give us a hint ? Meanwhile i'll go back to drupals docs and read a bit about this !

It's on the module's issues list

Posted by redben on March 15, 2008 at 4:04pm
redben's picture

All my comments might be a little late but i thought i'd add this redirect in case some feels lost...like me !
http://drupal.org/node/222268

Services

Group organizers

Group categories

Discussions

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: