Token in Webservice

[OKMGuy]

Hello OKM-Team!
I'm having a really strange problem!

When i execute the following code: (Im using the SDK for .Net but i get the same results using the "...services/OKMAuth?wsdl" as ServiceReference directly)

Code: Select all

OKMAuth Auth = new OKMAuth("http://localhost:8080/OpenKM");
string[] roles =Auth.getUsers("*here is a valid Token*");

i get, as expected, all users.

Now the strange part is, when i execute the code without a token, i STILL get all the users!?
How is this even possible?

Code: Select all

OKMAuth Auth = new OKMAuth("http://localhost:8080/OpenKM");
string[] roles =Auth.getUsers("asdfjklö");

This code returns all the users, even thought the token is complete nonsense?!

[jllort]

Which is your openkm version ?

[OKMGuy]

We are using
OpenKM 6.3.1 Build 8185

[jllort]

Can you please share minimal code ( only to reproduce the error ) and I will check it.

In your case you should use something like:

Code: Select all

OKMWebservice webservice = OKMWebServiceFactory.getInstance("http://192.168.1.34:8180/OpenKM", "okmAdmin", "admin", OKMWebServiceFactory.WS_1_0);
getUsers("/okm:root");
// or getUsers("token here", "/okm:root");

[OKMGuy]

i'm using C# with the .Net SDK for OpenKM

Code: Select all

using com.openkm.ws;
       
 public static void Main()
        {
            OKMWebservice webservice = OKMWebServiceFactory.getInstance 
            ("http://localhost:8080/OpenKM", "okmAdmin", "xxxx", OKMWebServiceFactory.COMMUNITY_6_0);
            string[] users= webservice.getUsers("nonsense","/okm:root");
        }   

even without a valid token(i used "nonsense" as token) i get all users!

But i want no results without a valid token, since that's what a token is for... isn't it?

[jllort]

You should use OKMWebServiceFactory.WS_1_0 not OKMWebServiceFactory.COMMUNITY_6_0

Anyway I think there's a bug on Auth module that's is not taking on consideration the token.

[OKMGuy]

Thank you for looking into this!

When can we expect this bug to be fixed?

And do you think this is a security issue for our OpenKM System?

[jllort]

The bug only affect few methods getRoles, getUsers, getUsersByRole, getRolesByUser, getMail, getName and all are readonly. I think this information can not be used to exploit the system.

[pavila]

It's fixed in last night build. Please, try and verify.

[OKMGuy]

sorry for the late reply!

Does this fix also apply to the Community Edition or only Professional?
Where can i find the nightly builds to download?

[pavila]

It's fixed in Community and Professional.

You can download last night build from http://integration.openkm.com/6.3/

Regards.

[OKMGuy]

I tested the methods getRoles, getUsers, getUsersByRole, getRolesByUser, getMail, getName. They all need now a valid token to work, you can no longer access any information without a valid token.
Thank you for fixing this so fast!