Wrong user info is shown when requesting /api/v1/users/me and passing an email through "X-On-Behalf-Of" header

Infos:

  • Used Zammad version: 3.2.x
  • Used Zammad installation source: Install on Ubuntu via DEB
  • Operating system: Ubuntu 16.04 LTS
  • Browser + version: Chrome 78.0.3904.108

I’m getting a wrong user information when running a request via rest API using “X-On-Behalf-Of” header:
curl -H "Authorization: Token token=<token>" -H 'X-On-Behalf-Of: "123asd@my.email"' -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

Expected behavior:

  • Getting info about user with email 123asd@my.email

Actual behavior:

  • Getting info about user with id 123. These a different users.

Steps to reproduce the behavior:

  • Create a user who’s email starts from digits
  • Create a user who’s id is the same digits from the other user’s email
  • Run an API request from the Infos

Additional infos:

I fixed this temporarily for my Zammad installation by editing:
/opt/zammad/app/controllers/application_controller/has_user.rb

Line 49 changed from:
%i[id login email].each do |field|
to
%i[email login id].each do |field|

Personally I don’t think that this is a bug but intendet, because most of the things you want to do on behalf of someone else is not fetching data about your account directly, but information as someone else (beside the updating).

Maybe @thorsteneckel can give some feedback here if he found some spare time.

Hey @alexdonskih - welcome back! I think this is a misunderstanding. If the header contains 123asd@my.email it won’t find the user with the ID 123. I assume the User with ID 123 has the login 123asd@my.email in your case and it will be found before the User with the email 123asd@my.email. This is because of the order: %i[id login email]. We don’t do a partial lookup of the string but only exact matches.

Hi @MrGeneration and @thorsteneckel,

Thanks for the quick response!

Ok, let me give you a more detailed explanation.

In my case first user has:

id = 4
login = 500m***t@gmail.com
email = 500m***t@gmail.com

Second user has:

id = 500
login = li***8904@gmail.com
email = li***8904@gmail.com

(These are real emails with some symbols replaced with asterisks for privacy).

I do a request:

curl -H "Authorization: Token token=<token>" -H "X-On-Behalf-Of: 500m***t@gmail.com" -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

The result is:

{
  "id": 500,
  "organization_id": null,
  "login": "li***8904@gmail.com",
  "firstname": "Lion",
  "lastname": "***e",
  "email": "li***8904@gmail.com",
  "image": null,
  "image_source": null,
  "web": "",
  "phone": "",
  "fax": "",
  "mobile": "",
  "department": "",
  "street": "",
  "zip": "",
  "city": "",
  "country": "",
  "address": "",
  "vip": false,
  "verified": false,
  "active": true,
  "note": "",
  "last_login": null,
  "source": null,
  "login_failed": 0,
  "out_of_office": false,
  "out_of_office_start_at": null,
  "out_of_office_end_at": null,
  "out_of_office_replacement_id": null,
  "preferences": {
    "locale": "en-us",
    "tickets_closed": 0,
    "tickets_open": 1
  },
  "updated_by_id": 500,
  "created_by_id": 3,
  "created_at": "2019-12-01T05:29:02.820Z",
  "updated_at": "2019-12-03T09:47:09.299Z",
  "role_ids": [
    3
  ],
  "organization_ids": [],
  "authorization_ids": [],
  "group_ids": {}
}

This issue was not happening until the user with id 500 was created.

Then, to double check this, I’ve took other user who’s email starts from digits:

id = 3703
login = 12711@stu.***rich5.org
email = 12711@stu.***rich5.org

And created a user with the id 12711:

id = 12711
login = alex***skih@gmail.com
email = alex***skih@gmail.com

curl -H "Authorization: Token token=<token>" -H "12711@stu.***rich5.org" -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

The result is:

{
  "id": 12711,
  "organization_id": 1,
  "login": "alex***skih@gmail.com",
  "firstname": "Alexander",
  "lastname": "***skikh",
  "email": "alex***skih@gmail.com",
  "image": "cb478cb900c9d6a9e6506fee09519ed1",
  "image_source": "",
  "web": "",
  "phone": "",
  "fax": "",
  "mobile": "",
  "department": "",
  "street": "",
  "zip": "",
  "city": "",
  "country": "",
  "address": "",
  "vip": false,
  "verified": false,
  "active": true,
  "note": "",
  "last_login": "2019-07-10T10:23:06.108Z",
  "source": "",
  "login_failed": 0,
  "out_of_office": false,
  "out_of_office_start_at": "2019-07-10",
  "out_of_office_end_at": "2019-07-10",
  "out_of_office_replacement_id": 4,
  "preferences": {},
  "updated_by_id": 4,
  "created_by_id": 4,
  "created_at": "2019-07-10T10:23:06.108Z",
  "updated_at": "2019-07-10T10:23:06.108Z",
  "role_ids": [],
  "organization_ids": [],
  "authorization_ids": [],
  "group_ids": {}
}

So, as you can see, in both cases these user pairs have completely different ids, logins and emails. The only connection between users in one pair is that the digits from which the email of the first user is started are the same as id of the second user.

It behaves like Zammad is throwing away everything which is going after @ in the email passed via header, thinking that this is a user id.

For me it’s looking more like a bug than like an intended behavior.

Hey @alexdonskih - damn! You are right. This is a ruby thing. If you run '12711@stu.***rich5.org'.to_i on e.g. the Zammad Rails console you’ll get 12711 :scream: When searching a user by id the given value will be converted to an integer as seen before. That’s a great catch!
Would you mind creating an issue for it?

2 Likes

@thorsteneckel
Done: https://github.com/zammad/zammad/issues/2851

1 Like

Thanks! We will cover it :+1:

1 Like