In Progress CPANEL-42871 - WHM get_domain_info does not return all the domains

[malex]

Hi,

The WHM get_domain_info does not return the list of all the domain name configured on a server when used with an API Token with the bare minimum permission (not a root access token).

It only returns the domains configured on accounts owned by root.
If an account it is not owned by root and the API Token is not an "all access" one, the domain on those resellers accounts are not listed.

For me, it's an unexpected behavior.
I don't want to create an "all root access token" just to have the possibility of retrieving the domains names configured on a hosting server.
I want to use API Token to limit what a token can do and avoid storing a root password.

It's not the only time that a problem of this kind occurs.

I had the same permission problem with the API to suspend an account.
The resellers account can't be suspended unless we use a "root access api token". You can check on the opened cPanel case, it has been a few months that this was reported... (no new about this issue, another case that is going to die... but now I'm used to it "yeah, we opened a cPanel case, here is the number" and then nothing. It just a way of closing tickets)

There is a problem with the API Token system, it's not granular enough.
Some operation requires root token when this can (and should) be avoided.

And, the cherry on top, it's not documented clearly on the cPanel doc. A warning message could be nice.

 

[cPRex]

Hey there! Thanks for letting me know about this issue. I believe this is actually working as intended, and there is just a lack of documentation at Return all domains information about the specific behavior. I've created case CPANEL-42871 to have our team look into that, and I'll be sure to post here as well with an update once I hear something.

 

[malex]

Ok, so no way of getting a list of all domains configured on a server without root access or root API token. Nice.
API Token are seriously flawed / useless.

I guess I will have to push instead of pulling this list of domains... yet another cron to add and yet another time that I have to find a solution / a patch myself. Honestly I'm getting tired of cPanel lately.

 

[malex]

I answer to this issue once again because I don't understand the logics behind the token permission... like at all.

In my development, I need to install SSL certificates for customers.
That include account created by resellers users.

So, this time I'm careful, and I'm thinking : if I use a non-acl-all token, cPanel will probably block my API call for the accounts created by the resellers, because it's not owned by root.
Except it's not the case...

So, I'm not able to list all the domains configured on the servers with a non-acl-all token, the domains created on resellers accounts (or not root owned) are not listed.

But, I'm able to do stuff on the accounts created by the resellers using a non-acl-all token.
And I'm able to list the domain by iterating on users created by resellers using the cPanel API passing thru WHM instead of the WHM one.

I don't understand the logic behind this.

EDIT: a demonstration of this nonsense. sc1liuf2502 is an account owned by liuf2502.

# The permission of the token I'm using.Just notice it's not a ACL=ALL token.
user@user-desktop:~$ curl -sH 'Authorization: whm root:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 'https://cheeseburger.zzzzzzzzz.eu:2087/json-api/api_token_get_details?api.version=1&token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | jq
{
  "metadata": {
    "version": 1,
    "result": 1,
    "reason": "OK",
    "command": "api_token_get_details"
  },
  "data": {
    "name": "TESTDSQ",
    "create_time": 1685713085,
    "expires_at": null,
    "acls": [
      "acct-summary",
      "cpanel-api",
      "create-acct",
      "list-accts",
      "manage-api-tokens",
      "suspend-acct",
      "upgrade-account"
    ]
  }
}

# I can do stuff / query the cPanel account created / owned by the resellers (jq is used to parse / limit the length of the output)
user@user-desktop:~$ curl -sH 'Authorization: whm root:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 'https://cheeseburger.zzzzzzzzz.eu:2087/json-api/cpanel?api.version=1&cpanel_jsonapi_user=sc1liuf2502&cpanel_jsonapi_module=DomainInfo&cpanel_jsonapi_func=domains_data&cpanel_jsonapi_apiversion=3' | jq .result.data.main_domain.owner
"liuf2502"

# I can't retrieve a list of all domains configured
user@user-desktop:~$ curl -sH 'Authorization: whm root:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 'https://cheeseburger.zzzzzzzzz.eu:2087/json-api/get_domain_info?api.version=1' |jq | grep 'sc1liuf2502' || echo "No result"
No result

Since we can easily bypass this "limitation", why not add a flag to allow listing all domains on the get_domain_info ?!

 

[cPRex]

That sounds like a good idea to me! I've added a note to the original case I created.

 

[rbairwell]

Sounds very similar to my feature request ( https://features.cpanel.net/topic/22570-reseller-api-privileges-group ) and ticket #94498998 where the "everything" access control token works differently on reseller-held accounts than ticking all the boxes. (see also CPANEL-41821 )

 

[malex]

Yes, I had the exact same issue for the suspension of resellers account / accounts owned by resellers.
I opened a support ticket and from time to time I come back to the ticket hoping for a change.

It was a regression because it used to work before, and we had like +500 accounts not suspended because of this... It was a pain in the ass to retrieve the list of accounts that were not suspended (sometime the owner account was already deleted so it was extra hard to find). I was pissed off that day.

I ended up creating a hook on the account suspension that suspend the accounts owned by the reseller too. (OK in my use case, maybe not for everyone)

Another related issue is that we can't create a session using create_user_session on a reseller account directly without using a "master" token.

In the end, API Token + Resellers = unexpected behavior.