BIMserver icon indicating copy to clipboard operation
BIMserver copied to clipboard
verified publisher icon opensourceBIM

Admin access as readonly user

Open muren400 opened this issue 4 years ago • 3 comments

Hi,

currently the Method ServiceInterface.getUserByUserName returns all relevant information on ANY user even though it is executed by a readonly user. This way every user can retrieve the user token for an admin account and login as one.

Cheers, Andreas

muren400 avatar Sep 15 '21 14:09 muren400

Good catch. There are probably more API calls with similar issues, see issue https://github.com/opensourceBIM/BIMserver/issues/523. But I think you cannot retrieve the password even if you know the user name.

hlg avatar Sep 15 '21 14:09 hlg

One might, since the method also returns hash and salt, but it would probably take a considerable amount of time.

muren400 avatar Sep 15 '21 14:09 muren400

If I am not mistaken there is no restriction on number of failing logins, so you could brute force through the front door anyway. But you are right, with hash and salt you could operate without being seen while doing so, and that should not be possible for ordinary users. Also OAuth tokens should not leak this way, though OAuth is not fully implemented anyway. Note also that user and permission management should be handled outside of BIMserver, at least currently and probably also in the future (see https://github.com/opensourceBIM/BIMserver/issues/732).

Will keep this issue open to address it in one go with the other auth issues.

hlg avatar Sep 15 '21 15:09 hlg