REST API - Access to list of all user with non admin rights
Description
If you use the REST API with a user, that has no admin permissions on OpenNMS (admin role), and do a GET on http://<OpenNMS-Host>:8980/opennms/rest/users, you get a list with all users with their MD5 password hash. I'm not sure, but I think, it is better, if only users with admin permissions can get this information.
Acceptance / Success Criteria
None
Lucidchart Diagrams
Activity
Benjamin Reed April 16, 2014 at 2:51 PM
Fixed in 1.12+
Now users with read-only access get "xxxxxxxx" as the password, and don't have the ability to do POST, PUT, or DELETE.
Users in role=admin or role=rest have the ability to read/write/delete and get password hashes in their responses.
Users also always get their own password hash. So, ie, if user "ranger" has no special rights, and does a GET on /opennms/rest/users/ranger, he sees his own password hash.
Markus Neumann March 13, 2014 at 9:54 AM
that works at demo.opennms.com too.... gaining admin there is very simple.
Michael Batz June 14, 2012 at 3:06 AM
No, this user don`t have the role role.rest.users.
David Hustace June 13, 2012 at 5:46 PM
Does the user have the role: role.rest.users from magic-users.properties?
If you use the REST API with a user, that has no admin permissions on OpenNMS (admin role), and do a GET on http://<OpenNMS-Host>:8980/opennms/rest/users, you get a list with all users with their MD5 password hash. I'm not sure, but I think, it is better, if only users with admin permissions can get this information.