Comments (4)
I tried to add some debugging code to lib/php/common-plugin.php, function find_plugin().
It seems that when trying to call view_info from REST API, loaded plugins are only smauth, auth, init, refresh, treenav, advice_license, Getting Started, home, thirdPartyLicenses-FOSSology, about, agent_copyright_once, topnav
, while when calling it from WebUI all plugins are loaded
from fossology.
Some little progress in debugging...
I added:
$NewPlugin->PostInitialize();
at the end of www/ui/ui-view-info.php
, and now I get a different error: "403: Upload is not accessible"
So I added a debug line to www/ui/api/Controllers/RestController.php
before that error is thrown, in order to show group id, and group id is 2 (as I wasn't logged in, but I am, and all other REST API calls work normally....)
from fossology.
Found the bug!
It's in src/www/ui/api/Middlewares/RestAuthMiddleware.php
$authFreePaths = ["/version", "/info", "/openapi", "/health"];
$isPassThroughPath = false;
foreach ($authFreePaths as $authFreePath) {
if (strpos($requestPath, $authFreePath) !== false) {
$isPassThroughPath = true;
break;
}
}
Any path ending with "/info" (or with other authFreePaths) is treated as an auth free path, so also /uploads/{id}/item/{itemId}/info falls into this "exception". Removing "/info" from that list solves the problem, but it's the next foreach cycle that needs to be changed. I will work on it later
from fossology.
Bug found and solved!
In RestAuthMiddleware class, there is some code that excludes some endpoints from authentication ("/info", "/openapi", "/health") but the problem is that code simply searches for such strings inside the request path, so also paths like /uploads/{id}/item/{itemId}/info
are excluded from authentication. In such case, user is set to "Default User" even if the request is authenticated with a token, and thus all plugins that do require authentication (including view_info) are not loaded - so the above error occurs (500: Unable to find plugin view_info).
If one tries to force loading of view_info (by adding a call to PostInitialize() in the corresponding source file) and adds some debug code, they can verify that user is set to "Default User" and group id to 2, even if the request is authenticated, and therefore one gets a 403 error ("Upload is not accessible") .
By appropriately modifying src/www/ui/api/Middlewares/RestAuthMiddleware.php in the following way, the endpoint works correctly, instead:
$authFreePaths = ["/info", "/openapi", "/health"];
$isPassThroughPath = false;
// path is /repo/api/v2/<endpoint>, we need to get only the endpoint part
$parts = explode("/", $requestPath, 5);
$endpoint = "/".end($parts);
foreach ($authFreePaths as $authFreePath) {
if ( $endpoint === $authFreePath ) {
$isPassThroughPath = true;
break;
}
}
I will open a PR
from fossology.
Related Issues (20)
- Upgrade the Folder & License APIs to Version 2 HOT 2
- Alert mechanism via API
- Call to a member function getId() on null in lib/php/Report/ReportUtils.php HOT 3
- As a User I would like to filter out files by extension on the search box. HOT 2
- The database upgrade failed from version 9.6 to a higher version
- Upgrade the Jobs & Report based APIs to Version 2 HOT 1
- cp2foss does not work from 4.3.0-rc1
- [API ERROR] calling Upload api throws 405 NOT ALLOWED HOT 2
- DB upgrade from < 4.3 to >= 4.3: Possible loss of edited results or main license
- Docker image build failed while upgrading from bullseye to bookworm
- Search functionality for Software Heritage Page and search and filter functionality of file browser page is not working
- scancode fails HOT 3
- "Skip MimeTypes from scanning" Feature is Not Working HOT 2
- spdx2tv report generation failed with PHP Fatal error: Uncaught Error: Call to a member function getId() on null in /usr/local/share/fossology/spdx2/agent/spdx2.php:358
- Add more unit test cases for upload, group, license and folder APIs.
- Add more unit test cases for maintenance & upload tree APIs
- Failed to build Fossology docker image HOT 18
- Add unit test cases for Permissions, LicenseCandidate,Group , FileInfo, Decider, and Agent models.
- Scancode fails if started from License Browser Page
- Duplicate License-Entry for CMU-Mach
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fossology.