search

kwent / syno

Simple Node.js wrapper and CLI for Synology DSM REST API 5.x and 6.x.
http://kwent.github.io/syno
MIT License
316 stars 51 forks source link

Auth API returns `Error: Permission denied` for non-administrator accounts #28

Closed mamartel closed 7 years ago

mamartel commented 7 years ago

The following applies to DSM 6.0.2-8451 Update 4, I don't have any other versions to test.

The authentication API returns {"error":{"code":402},"success":false} for non-administrator accounts.

To authenticate a non-administrator account, the session parameter must be set to the desired application's name. However, I can log with one application, then use another one without having to reauthenticate. Even better, I can log with an application for which I don't have permission, then use an application for which I do.

For example, even if the user is explicitely denied access to AudioStation, I can log with
/webapi/auth.cgi?api=SYNO.API.Auth&version=3&method=login&account=user&passwd=password&session=AudioStation

Then list the files in my home folder: syno.fs.list({'folder_path':'/home'}, callback);

But trying use AudioStation's API, which I don't have access to, gets you a Error 115: The logged in session does not have permission.

Possible fix

For now, I changed session = 'SYNO_SESSION_' + Date.now() to session = 'FileStation' in Auth.login since the FileStation application can't seems to be turned off or removed (easily).

Not pretty but seems to be the simplest solution.

kwent commented 7 years ago

Hi @mamartel,

It's should be fixed on master.

I'll update all DSM packages version and release a new version soon.

Thanks again for your investigation.

kwent commented 7 years ago

Hi @mamartel, i just released 2.1.0 version on NPM.

This issue should be fixed.

Regards,