Auth API returns `Error: Permission denied` for non-administrator accounts
Closed this issue · 2 comments
The following applies to DSM 6.0.2-8451 Update 4, I don't have any other versions to test.
The authentication API returns {"error":{"code":402},"success":false}
for non-administrator accounts.
To authenticate a non-administrator account, the session
parameter must be set to the desired application's name.
However, I can log with one application, then use another one without having to reauthenticate.
Even better, I can log with an application for which I don't have permission, then use an application for which I do.
For example, even if the user is explicitely denied access to AudioStation, I can log with
/webapi/auth.cgi?api=SYNO.API.Auth&version=3&method=login&account=user&passwd=password&session=AudioStation
Then list the files in my home folder:
syno.fs.list({'folder_path':'/home'}, callback);
But trying use AudioStation's API, which I don't have access to, gets you a Error 115: The logged in session does not have permission
.
Possible fix
For now, I changed session = 'SYNO_SESSION_' + Date.now()
to session = 'FileStation'
in Auth.login
since the FileStation application can't seems to be turned off or removed (easily).
Not pretty but seems to be the simplest solution.