Permissions required to query for installed extensions/modules

[Marc Franquesa]

For an integration I'm developing I need to query iTop instance for the installed extensions/modules to act differently depending on which extensions are installed.

I can get that info querying for 'ModuleInstallation' and 'ExtensionInstallation' objects, however my ApplicationToken don't have enough permissions:

API error: The current user does not have enough permissions for exporting data of class ModuleInstallation.

I have tried assigning it profiles which have read-only over all objects (like the ones provided as samples on https://www.itophub.io/wiki/page?id=latest:customization:add-profile-sample#declare_the_new_profiles) and while the profiles work OK for normal users, don't work for an Application Token (which still gets a not enough permissions error).

Only if I assign 'Administrator' profile to the ApplicationToken I can get it to work, but obviously this something I want to avoid.

Is this due some hardcoded bypass on the 'Administrator' profile or some hardcoded restriction over 'ApplicationToken' ? How can achieve that?

[Stephen Abello]

Hi Marc,
We rarely encouter this case as most of the time we check if a class is present to determine if a module is installed, like class_exists('Attachment') to check if itop-attachments is installed.

If you wish to proceed with your method and you think you won't discolse what could be considered sensitive informations with your query, you could bypass security check on your DBObjectSearch like this:

$oSearch->AllowAllData();

Otherwise you could create your own profile like in the link you provided, but you need to explicitely put your 2 classes in your profile (as using the * only grant rights to all bizmodel classes, classes that appears in the UI, to avoid security issues)

Hope this helps
Stephen

[Marc Franquesa]

Thanks for the quick the response.

None of the PHP tricks is applicable on my solution as I am doing pure HTTP/REST API calls thru Ansible.

I already tried to create a specific profile just for these ObjectClasses, but I still get the same error:

API error: The current user does not have enough permissions for exporting data of class ModuleInstallation.

I thought the restriction could came form any priv_XXX tables, but any plain-user thru the UI with permissions to Run OQL Queries can simply "SELECT ModuleInstallation" and get the listing (so seems default is permissions are READ).

Just when I use Application Tokens (REST Service User and Configuration Manager profiles) that I get the denied error. And only works if I assign the "Administrator" Profile. So, I point to either some hardcoded 'by-pass' by administrator profile or a specific restriction for ApplicationToken users.

[Stephen Abello]

I just checked in the code.

I seems that ModuleInstallation and ExtensionInstallation are under the core,view_in_gui category.

When checking rights on a view_in_gui class only Read can be granted (if you are not Administrator), but REST services check for Read and Bulk read rights even if you try to get only 1 object, so you get your permissions error.

I'm not sure you can bypass the Administrator rights.

The only solution I can think of is creating your own REST service in an extension by declaring a class that implements iRestServiceProvider, copy the code of the core/get service into your own service and do not check the Bulk read rights when trying to get ModuleInstallation or ExtensionInstallation

I know this is not ideal but I hope this helps

[Marc Franquesa]

Thanks again for your quick response and time to check this. I wanted to check the code by myself but didn't know where to start on, thanks to you I identified the core files to look for (and clearly understand your points):

REST Services requires both READ and BULK_READ in core/restservices.class.inc.php line:

elseif (UserRights::IsActionAllowed($sTargetClass, UR_ACTION_BULK_READ) != UR_ALLOWED_YES)

But UserRights over 'view_in_gui' category only return UR_ALLOWED_YES if, and only if, READ is requested in core/userrights.class.inc.php block:

elseif(($iActionCode == UR_ACTION_READ) && MetaModel::HasCategory($sClass, 'view_in_gui'))
{
    return UR_ALLOWED_YES;
}
else
{
    // Other classes could be edited/listed by the administrators
    return UR_ALLOWED_NO;
}

By by-pass cheks for Administrator I meant the line in core/userrights.class.inc.php: (which allow admin on any kind of Action over any object):

if (self::IsAdministrator($oUser)) return UR_ALLOWED_YES;

I wanted to avoid requiring specific module/code precisely to make my code DataModel-transparent an allow potential users to use it without additional requirements (so my code acts differently depending on which modules/extensions are used). Or even allow them to check for their own developed extensions/modules.

Could I fill a bug-report/request somewhere to ask for some solution for this? Either by simply allowing READ/READ_BULK over 'view_in_gui' category or at high level (for future) specific REST API for metamodel information insights.

Thanks again for your time and efforts on finding the root-cause.

Regards

[Stephen Abello]

You could fill a ticket in the dedicated section in sourceforge or send a Pull request on Github but as it expose more sensitive data I'm not sure it will be accepted. Moreover your code would only work with iTop up to date with the change you propose.

To do this kind of job today for iTop Hub and the ITSM Designer we have specific extensions that calculate themselves the installed modules and send them to our distant tools. I would not find this shocking for you to require an extension installation you purpose.

Otherwise you still have the option to require Rest user to be Administrator even if it's a bit risky as exposing the token could lead to iTop takeover

Or you could require the installation modules (that are found in the about box for admins) to be uploaded manually in your tool