Auth API returns Error: Permission denied for non-administrator accounts
#28
Comments
kwent
added a commit
that referenced
this issue
Jan 4, 2017
|
Hi @mamartel, It's should be fixed on master. I'll update all DSM packages version and release a new version soon. Thanks again for your investigation. |
|
Hi @mamartel, i just released This issue should be fixed. Regards, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following applies to DSM 6.0.2-8451 Update 4, I don't have any other versions to test.
The authentication API returns
{"error":{"code":402},"success":false}for non-administrator accounts.To authenticate a non-administrator account, the
sessionparameter must be set to the desired application's name.However, I can log with one application, then use another one without having to reauthenticate.
Even better, I can log with an application for which I don't have permission, then use an application for which I do.
For example, even if the user is explicitely denied access to AudioStation, I can log with
/webapi/auth.cgi?api=SYNO.API.Auth&version=3&method=login&account=user&passwd=password&session=AudioStationThen list the files in my home folder:
syno.fs.list({'folder_path':'/home'}, callback);But trying use AudioStation's API, which I don't have access to, gets you a
Error 115: The logged in session does not have permission.Possible fix
For now, I changed
session = 'SYNO_SESSION_' + Date.now()tosession = 'FileStation'inAuth.loginsince the FileStation application can't seems to be turned off or removed (easily).Not pretty but seems to be the simplest solution.
The text was updated successfully, but these errors were encountered: