Titanium JIRA Archive
Appcelerator Community (AC)

[AC-974] When user1 creates a new user2, can modify/delete all user2's stuff

GitHub Issuen/a
TypeBug
Priorityn/a
StatusResolved
ResolutionCannot Reproduce
Resolution Date2014-03-17T00:54:07.000+0000
Affected Version/sn/a
Fix Version/sn/a
ComponentsDocumentation
Labelsdoc-request
ReporterManuel Conde Vendrell
AssigneeShuo Liang
Created2014-02-27T20:28:28.000+0000
Updated2016-03-08T07:37:18.000+0000

Description

Usually one user cannot edit/delete another user's stuff (without ACLs). Now consider next situation: I create User1 with Console. I create User2 within User1 session. I create CustomObject with User1 session: Obj1 I create CustomObject with User2 session: Obj2 With this situation: With both users I can read both objects. With User1 I can edit/delete Obj1 & Obj2. With User2 I can edit/delete Obj2 but cannot edit/delete Obj1. In some way, not explained in docs, User2 belongs to User1 (but there is no proof of it seeing User2 info in the console), so User1 inherits the owner and can do whatever thing he want with User2's objects. It would be good to reflect this in the docs, because it's a special situation that can cause some surprises (although it has logic).

Comments

  1. Ritu Agrawal 2014-02-28

    From the documentation: For regular users (non-admin users), after successully executing this command, you will be logged in as the new user and the session ID will be associated with the newly created user. For example, when user A creates user B, user A is now logged in as user B and user A's session ID belongs to user B. For admin users, you will still be logged in as the admin user. Did you make sure that you logged in as User 1 in your case explicitly before looking at User 2 objects? Is User 1 an admin?
  2. Manuel Conde Vendrell 2014-02-28

    Hi Ritu. Yes, I'm completely sure because User2 was created some days ago. Also, to create the initial objects, I logged in again with the right user. Then yesterday I logged in as User2 to make the test and I was not able to delete User1 objects. Then I logged out and logged in as User1 to try to delete User2's objects... and I was able. I also checked the "user_id" field on the objects to verify that the object I was trying to delete belonged to the user I expected. Both users are not admin users, in fact none of them can use special objects, like PushNotification.notify with to_ids parameter to everyone (which is only allowed to admins)
  3. Ritu Agrawal 2014-03-03

    I need a couple of clarifications: 1. Are you creating users and objects using ACS Web console (cloud.appcelerator.com) or using curl commands? 2. You mentioned that you created User2 using User1 session1. How did you login with User1 credentials? ACS console or Curl commands?
  4. Manuel Conde Vendrell 2014-03-03

    1. Using Node.ACS code (I suppose it's equivalent to curl), I don't use the console for nothing more than create the first user (User1), because I need one user to log-in the first time in my system. After that, I log-in with that user and with my CRUD, I can create the other users. 2. I log-in through my own system, using Node.ACS code. I put here the code I'm using for log-in and create a user (I'm logged in this case as User1): 
           ACS.Users.login({
           // Get fields from form
           login: req.body.username,
           password: req.body.password
       }, function(data) {
           if (data.success) {
                       // Set session data to be used later througout the app
                       req.session.session_id = data.meta.session_id;
                       req.session.user_id = data.users[0].id;
                       req.session.fullname = data.users[0].first_name + ' ' + (data.users[0].last_name || '');
                       req.session.userdata = data.users[0];
                       
                       res.redirect('/home');
           } else {
               res.redirect('/error');
           }
       });
   
               var params = {
               id: id,
               username: username,
               password: password,
               password_confirmation: password2,
               first_name: first_name,
               last_name: last_name,
               email: email
           };
   
               ACS.Users.create(
                   params
               , function(data) {
                   if (data.success) {
                       console.log('User "' + username + '" created');
                       res.redirect('/admin/users');
                   } else {
                       console.log('Error: ' + ((data.error && data.message) || JSON.stringify(data)));
                   }
               });
    After execute this code, I didn't see that the current user changed, as you noticed me. If you see my login function, I store the session_id which I use later to save any kind of objects (that's why the current logged user is the owner of it's objects): 
                   ACS.Objects.create({
                   classname: 'Languages',
                   session_id: req.session.session_id,
                   fields: {
                       name: name,
                       key: key
                   }
  5. Shuo Liang 2014-03-11

    Hi, According your code, maybe there are 2 missing I can see. 1. In ACS.Ojects.create method, there is no valid parameter called session_id. There is a valid parameter called user_id which can create object to other user if current user is app admin. So base on your code, the object 'languages' actually create to current user, not association with the session_id you saved. Ref: http://docs.appcelerator.com/cloud/latest/#!/api/CustomObjects-method-create 2. You said execute the create user code, didn't see current user changed. But after you create user B, if user A is not admin, user B is supposed to take user A's sesson_id and become the current user. Like user A is logout. Ref: http://docs.appcelerator.com/cloud/latest/#!/api/Users-method-create
  6. Manuel Conde Vendrell 2014-03-12

    Hi Shuo. About point 1: you are right, session_id is only to validate I'm logged as a valid user, has no effect on the creation. About 2: I'm not sure that session changes automatically to User2 because with User1 I created User2, User3, User4 in a row... but I will do a test, because that will mean that User2 could delete User3, User3 also User4, and so on... in a chain, if this "inheritance" exists. Nevertheless, User1 is still being able to delete all the other user's objects, as if he were the owner of all. Summarizing: No admins. I create User2 from User1, I later logout and login again as User2, create objects for User2, but I'm able to delete User2's objects with User1 credentials. This situation is no explained in docs.
  7. Shuo Liang 2014-03-12

    Hi, I reproduced your issues by Curl command line like: -- 1. Login *User A* -- 2. Create *User B* while *User A* is logged. -- 3. Show current user to make sure current user is *User B* -- 4. Create *Object B* while *User B* ls logging. -- 5. Logout *User B* and Login *User A*. -- 6. Delete *Object B* when current user is *User A* -- 7. Return error "You don't have permission to delete object ..." So Based on my test, I did see the problem you mentioned. Would you please double check the you code, make sure this is no admin users, no ACLs. Then login to ACS web console, check the all the objects' owners to meet your expectations. For example check Object B's owner is only User B, no anyone else. Then reproduce same test again.
  8. Manuel Conde Vendrell 2014-03-12

    Ok, I done again my tests, even more exhaustive and the results were the same (by the way, REST doesn't works always as ACS.Node code). 1. Login *User A* 2. Create *Object A* 3. Create *User B* while *User A* is logged 4. Create *User C* while (I suppose) *User A* is logged (I mean, I didn't logout, but in theory docs says now I'm User B. I'm still believing is User A) 5. Logout and Login as *User B* 6. Create an *Object B1* and *Object B2* 7. Logout and Login as *User C* 8. Create an *Object C1* and *Object C2* 9. List all objects 10. Logout and Login as *User B* 11. Try to delete *Object C1* (with *User B*): error, no permissions 11. Try to delete *Object B1* (with *User B*): ok, it works 12. Try to delete *Object A* (with *User B*): error, no permissions 13. Logout and Login as *User C* 14. Try to delete *Object C1* (with *User C*): ok, it works 15. Try to delete *Object B2* (with *User C*): error, no permissions 16. Try to delete *Object A* (with *User C*): error, no permissions 17. Logout and Login as *User A* 18. Try to delete *Object C2* (with *User A*): ok, it works 19. Try to delete *Object B2* (with *User A*): ok, it works 20. Try to delete *Object A* (with *User A*): ok, it works Only ONE thing differentiates User A from B or C: in the field ROLE it has the value "admin", but it is supposed that this field is like any other one, a descriptive field. The other two users has "publisher" as ROLE value. And here comes my surprise!: if I change ROLE from "admin" to "publisher"... then *User A* cannot delete other user's objects. WTF!!??
  9. Manuel Conde Vendrell 2014-03-12

    I *CAN CONFIRM* that, if I set the ROLE field to "admin" in my users, they can delete other user's objects. I set it for *User C* and I was able to delete UserA's objects. If this is a BUG, I love this bug because it's exactly what I was looking for (set and admin role by code, no from Web Console) when I set the role field.
  10. Shuo Liang 2014-03-17

    Using both SDK and REST API to test, None of Them can reproduce the situation like Description in this ticket. Checked the Role parameter from source code. It is a simple descriptive property, do not effect the Admin user.
  11. Manuel Conde Vendrell 2014-03-17

    You can't reproduce it? Oh, I have currently two projects running and on both it happens. Well, doesn't matters, for me is perfect this way, just what I need.

JSON Source