Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

API issue with list_surveys

  • Mapache
  • Mapache's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
2 years 4 months ago #222205 by Mapache
API issue with list_surveys was created by Mapache
Coming from 3.27.25+211116 LTS I wanted to use list_survey_groups (which was introduced in 4.5.0).
However I am having issues with the API starting from 4.3.34 (up to 5.2.2) as it is not behaving as expected:

Test-Setup:
- There are three surveys in total.
- There is a user "USER" who owns two of them (empty "Survey permissions" list).
- The other one is owned by "admin" (empty "Survey permissions" list).
- There is a user "api" which is used to access the API (JSON-RPC)

3.27.25+211116 LTS:
- In this setup the "api" user has no extra permissions other than "Use internal database authentication" (default).
- I can call list_surveys like so:
Code:
{"method": "list_surveys", "params": ["TOKEN", "USER"], "id": 1}
- With this the API returns all surveys for USER just as expected.
- For null instead of USER the API returns all surveys (for all users).

up to 4.3.34:
- Same behaviour as 3.27.25+211116 LTS

4.4.0+:
- With the same settings / permissions, the API returns no results
Code:
{"id":1,"result":{"status":"No surveys found"},"error":null}
- If I grant "View/read" permissions for the "api" user on "Surveys" the API returns all surveys with USER set or null.

I am not able to fetch surveys for a specific user no matter what permission I grant to the "api" user; I either receive all surveys or none.
Am I missing something here or is this a bug?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
2 years 4 months ago #222230 by DenisChenu
Replied by DenisChenu on topic API issue with list_surveys
> - With this the API returns all surveys for USER just as expected.
> - For null instead of USER the API returns all surveys (for all users).

? It's really a big security issue here !

And i can not confirm with 3.27.25 : an user see only survey with rights …
Are you sure you didn't give him all Read rights on survey ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • Mapache
  • Mapache's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
2 years 4 months ago - 2 years 4 months ago #222231 by Mapache
Replied by Mapache on topic API issue with list_surveys
The "api" user has no other permissions than "Use internal database authentication" (see screenshot).

I just checked it again:

With
Code:
{"method": "list_surveys", "params": ["TOKEN", null], "id": 1}
the API responds with no results (=> wrong in my first post above, no security issue here).

However:

With
Code:
{"method": "list_surveys", "params": ["TOKEN", "admin"], "id": 1}
the API responds with all surveys belonging to the user "admin" (I picked ten random surveys from the response and checked if the "api" user is not in the "Survey permissions" list which was not the case)

As the user "api" has no permissions to see other users surveys this could probably considered a security issue.

Also the question remains: How I can fetch surveys for a specific user on 5.x through the API via list_surveys through an api-user-account?
Last edit: 2 years 4 months ago by Mapache.
The topic has been locked.
  • Mapache
  • Mapache's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
2 years 4 months ago - 2 years 4 months ago #222255 by Mapache
Replied by Mapache on topic API issue with list_surveys
If I grant "View/read" permissions for the "api" user on "Surveys" and "Survey groups" the API response for both
Code:
{"method": "list_surveys", "params": ["TOKEN", null], "id": 1}
and
Code:
{"method": "list_surveys", "params": ["TOKEN", "ANYOTHERUSER"], "id": 1}
on 5.x are the same: I get a list of all surveys for every user.

It seems as if the query for surveys does not obey the "$sUsername" of
Code:
list_surveys(string $sSessionKey,string|null $sUsername = null): array
if set.
Last edit: 2 years 4 months ago by Mapache.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
2 years 4 months ago #222256 by DenisChenu
Replied by DenisChenu on topic API issue with list_surveys
I check with an existing 3.27.25 : no issue

1. Remote control user see only survey with right on it
2. If add the username (login) he see survey with right by this user.
 

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • Mapache
  • Mapache's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
2 years 4 months ago - 2 years 4 months ago #222263 by Mapache
Replied by Mapache on topic API issue with list_surveys
@DenisChenu Yes, but I wrote ( #222255) that on 5.x (starting from 4.3.34+ as per my inital Post) this is not the case anymore.
Last edit: 2 years 4 months ago by Mapache.
The following user(s) said Thank You: DenisChenu
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose