Wrong user info is shown when requesting /api/v1/users/me and passing an email through "X-On-Behalf-Of" header

alexdonskih · December 4, 2019, 6:38am

Infos:

Used Zammad version: 3.2.x
Used Zammad installation source: Install on Ubuntu via DEB
Operating system: Ubuntu 16.04 LTS
Browser + version: Chrome 78.0.3904.108

I’m getting a wrong user information when running a request via rest API using “X-On-Behalf-Of” header:
curl -H "Authorization: Token token=<token>" -H 'X-On-Behalf-Of: "123asd@my.email"' -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

Expected behavior:

Getting info about user with email 123asd@my.email

Actual behavior:

Getting info about user with id 123. These a different users.

Steps to reproduce the behavior:

Create a user who’s email starts from digits
Create a user who’s id is the same digits from the other user’s email
Run an API request from the Infos

Additional infos:

I fixed this temporarily for my Zammad installation by editing:
/opt/zammad/app/controllers/application_controller/has_user.rb

Line 49 changed from:
%i[id login email].each do |field|
to
%i[email login id].each do |field|

MrGeneration · December 4, 2019, 8:18am

Personally I don’t think that this is a bug but intendet, because most of the things you want to do on behalf of someone else is not fetching data about your account directly, but information as someone else (beside the updating).

Maybe @thorsteneckel can give some feedback here if he found some spare time.

thorsteneckel · December 4, 2019, 8:53am

Hey @alexdonskih - welcome back! I think this is a misunderstanding. If the header contains 123asd@my.email it won’t find the user with the ID 123. I assume the User with ID 123 has the login 123asd@my.email in your case and it will be found before the User with the email 123asd@my.email. This is because of the order: %i[id login email]. We don’t do a partial lookup of the string but only exact matches.

alexdonskih · December 4, 2019, 12:05pm

Hi @MrGeneration and @thorsteneckel,

Thanks for the quick response!

Ok, let me give you a more detailed explanation.

In my case first user has:

id = 4
login = 500m***t@gmail.com
email = 500m***t@gmail.com

Second user has:

id = 500
login = li***8904@gmail.com
email = li***8904@gmail.com

(These are real emails with some symbols replaced with asterisks for privacy).

I do a request:

curl -H "Authorization: Token token=<token>" -H "X-On-Behalf-Of: 500m***t@gmail.com" -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

The result is:

{
  "id": 500,
  "organization_id": null,
  "login": "li***8904@gmail.com",
  "firstname": "Lion",
  "lastname": "***e",
  "email": "li***8904@gmail.com",
  "image": null,
  "image_source": null,
  "web": "",
  "phone": "",
  "fax": "",
  "mobile": "",
  "department": "",
  "street": "",
  "zip": "",
  "city": "",
  "country": "",
  "address": "",
  "vip": false,
  "verified": false,
  "active": true,
  "note": "",
  "last_login": null,
  "source": null,
  "login_failed": 0,
  "out_of_office": false,
  "out_of_office_start_at": null,
  "out_of_office_end_at": null,
  "out_of_office_replacement_id": null,
  "preferences": {
    "locale": "en-us",
    "tickets_closed": 0,
    "tickets_open": 1
  },
  "updated_by_id": 500,
  "created_by_id": 3,
  "created_at": "2019-12-01T05:29:02.820Z",
  "updated_at": "2019-12-03T09:47:09.299Z",
  "role_ids": [
    3
  ],
  "organization_ids": [],
  "authorization_ids": [],
  "group_ids": {}
}

This issue was not happening until the user with id 500 was created.

Then, to double check this, I’ve took other user who’s email starts from digits:

id = 3703
login = 12711@stu.***rich5.org
email = 12711@stu.***rich5.org

And created a user with the id 12711:

id = 12711
login = alex***skih@gmail.com
email = alex***skih@gmail.com

curl -H "Authorization: Token token=<token>" -H "12711@stu.***rich5.org" -H "Content-Type: application/json" http://zammad.local/api/v1/users/me

The result is:

{
  "id": 12711,
  "organization_id": 1,
  "login": "alex***skih@gmail.com",
  "firstname": "Alexander",
  "lastname": "***skikh",
  "email": "alex***skih@gmail.com",
  "image": "cb478cb900c9d6a9e6506fee09519ed1",
  "image_source": "",
  "web": "",
  "phone": "",
  "fax": "",
  "mobile": "",
  "department": "",
  "street": "",
  "zip": "",
  "city": "",
  "country": "",
  "address": "",
  "vip": false,
  "verified": false,
  "active": true,
  "note": "",
  "last_login": "2019-07-10T10:23:06.108Z",
  "source": "",
  "login_failed": 0,
  "out_of_office": false,
  "out_of_office_start_at": "2019-07-10",
  "out_of_office_end_at": "2019-07-10",
  "out_of_office_replacement_id": 4,
  "preferences": {},
  "updated_by_id": 4,
  "created_by_id": 4,
  "created_at": "2019-07-10T10:23:06.108Z",
  "updated_at": "2019-07-10T10:23:06.108Z",
  "role_ids": [],
  "organization_ids": [],
  "authorization_ids": [],
  "group_ids": {}
}

So, as you can see, in both cases these user pairs have completely different ids, logins and emails. The only connection between users in one pair is that the digits from which the email of the first user is started are the same as id of the second user.

It behaves like Zammad is throwing away everything which is going after @ in the email passed via header, thinking that this is a user id.

For me it’s looking more like a bug than like an intended behavior.

thorsteneckel · December 6, 2019, 7:24am

Hey @alexdonskih - damn! You are right. This is a ruby thing. If you run '12711@stu.***rich5.org'.to_i on e.g. the Zammad Rails console you’ll get 12711 When searching a user by id the given value will be converted to an integer as seen before. That’s a great catch!
Would you mind creating an issue for it?

alexdonskih · December 10, 2019, 7:57am

@thorsteneckel
Done: https://github.com/zammad/zammad/issues/2851

thorsteneckel · December 10, 2019, 8:08am

Thanks! We will cover it

system · April 8, 2020, 8:08am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.