Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

In Progress [CPANEL-26332] API Tokens and WHM Function list-zones

Discussion in 'cPanel Developers' started by bellwood, Mar 14, 2019.

Tags:
  1. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    32
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,528
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @bellwood,

    listzones is controlled with the Manage DNS Records privilege. It's found under the "Initial Privileges" section in WHM >> Manage API Tokens.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    bellwood likes this.
  3. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    32
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
    This is incomplete - I have to allow "Everything - All Features `all`" to get a list of every zone on the server.

    Seems horribly insecure to need a "god" token to simply get a list of zones.
     
    #3 bellwood, Mar 18, 2019
    Last edited: Mar 18, 2019
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,528
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @bellwood,

    I've reproduced this behavior and opened case CPANEL-26332 to report the issue. I'll monitor this case and update this thread with more information as it becomes available. Note that an additional case (CPANEL-24676) is open to correct this behavior for the listaccts WHM API 1 function. That case is planned for publication with cPanel & WHM version 80.

    Thank you.

    Post Edit History:
    1. Corrected the first case ID to reflect CPANEL-26332.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Mar 18, 2019
    Last edited: May 31, 2019
  5. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    32
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
    @cPanelMichael thanks for the stellar customer service. Will keep an eye out for this in v80.
     
    cPanelMichael likes this.
  6. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    32
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
    @cPanelMichael I see CPANEL-24676 was remediated 03-21-2019 however as of v80.0.11 I'm still unable to see all zones on a server with just the list-zones token permission.

    Interesting as well, the resolution for the case mentions listaccts, not listzones:

    • Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

    Could you clarify?
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,528
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @bellwood,

    It looks like CPANEL-26332 was utilized in this thread's title, but incorrectly entered as "CPANEL-24676" in my previous response. Apologies for the confusion. I've edited my previous response to correct this. I'll continue to monitor CPANEL-26332 internally and report back here more information on it's status as it becomes available.

    In summary, there are two cases associated with this thread, CPANEL-24676 and CPANEL-26332.

    CPANEL-24676 is fixed in version 80: Fixed case CPANEL-24676: API Tokens: Ensure that the listaccts API call respects the 'list-accts' priv.

    CPANEL-26332 was opened on March 18th, 2019 to request that the listzones WHM API 1 call returns all DNS zones on the system instead of just the zones owned by the "root" user when the 'manage-dns-records' API token privilege is enabled.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice