Forum Discussion

iarriola's avatar
iarriola
Ace
7 years ago

GDPR personal_data resource only available on Lithium Studio API Browser

I'm trying to develop a custom endpoint at Lithium Studio,  for exposing GDPR functionality described at GDPR Community API support. The query at API browser looks like this:

SELECT personal_data FROM users WHERE id='SOME_ID'

and it perfectly returns the desired data. Then moving that query to a custom endpoint looks like this:

<#compress>
<#assign error = "" />

<#assign userId = http.request.parameters.name.get("userId", "0") />

<#if (userId != "0")>
  <#attempt>
    <#assign query = "SELECT personal_data FROM users WHERE id='${userId}'"/>
    <#assign resp = restadmin("2.0","/search?q=" + query?url)/>

    ${resp.status?json_string}
      ${apiv2.toJson(resp)}

    <#if (resp.status == "success")>
      <#assign userData = resp.data />
      ${apiv2.toJson(userData.items[0])}
    <#else>
      <#assign error = "there is no user with id " + userId?number?c />
      ${error?json_string}
    </#if>
  <#recover>
    <#assign error = .error />
    ${error?json_string}
  </#attempt>
<#else>
  <#assign error = "userId parameter is required" />
  ${error?json_string}
</#if>
</#compress>

After saving it and trying to access the endpoint at :

https://www.my.community.com/forum/s/TENANT_ID/plugins/custom/company/company/custom.user.personal_data?userId=SOME_ID

The result, returns an empty response, something like this:

{
"status" : "success",
"message" : "",
"http_code" : 200,
"data" : {
"type" : "users",
"list_item_type" : "user",
"size" : 1,
"items" : [ {
"type" : "user",
"personal_data" : {
"type" : "user",
"items" : [ ]
}
} ]
},
"metadata" : { }
}
{
"type" : "user",
"personal_data" : {
"type" : "user",
"items" : [ ]
}
}

Can this be considered a bug?

  • luk's avatar
    luk
    Boss
    7 years ago

    iarriola Just a remark: What the above code does, is extremely dangerous...do you realize that because you use restadmin() and a USER-DEFINABLE $_GET parameter "userId", that ANYBODY could get the personal_data of any other user, not just himself...

    In other words: restadmin() elevates anybody to Admin level in terms of API permissions, and you allow the user to specify the ID of the user to query personal_data about...

    I would say, be happy it returns an empty object for now =)!

    • iarriola's avatar
      iarriola
      Ace
      7 years ago

      Hi luk, thanks a lot for the heads up. And yes, I understand how restadmin() works. What's missing on the custom endpoint is a security validation, to see if the logged in user is an API admin user, the endpoint not published yet, and is not intended to be open to the public and community, but for been consumed by a backend service, what's posted here, is just a quick script to check how the data looks like and how can be consumed internally.

      Thanks again :)!

  • cblown's avatar
    cblown
    Boss
    7 years ago

    Is this a permissions issue? When you perform the SELECT in Studio then you are running this as the SuperUser / Admin, when you access the Endpoint you inherit the login permissions of the current logged in user in the browser. If you are un fact Admin in the browser, perhaps there are some other "protections" going on to protect this data?