WHM API1 batch command permissions changed after server upgrade

[kduvall]

I'm making an external app that communicates with WHM VIA WHM API 1 calls.

I've been testing with a reseller account that has basic reseller privileges. The server was running WHM 11.48 and running the batch API call worked fine.

{
  "data" : {
    "result" : [
      {
        "data" : {
          "fifteen" : "0.73",
          "one" : "0.52",
          "five" : "0.74"
        },
        "metadata" : {
          "result" : 1,
          "reason" : "OK",
          "command" : "systemloadavg",
          "version" : 1
        }
      },
      {
        "data" : {
          "version" : "11.48.4.7"
        },
        "metadata" : {
          "result" : 1,
          "reason" : "OK",
          "command" : "version",
          "version" : 1
        }
      },
    ]
  },
  "metadata" : {
    "result" : 1,
    "reason" : "OK",
    "command" : "batch",
    "version" : 1
  }
}

But after upgrading the server to WHM 11.52, the batch command returns "permission denied" unless I'm authenticated as root.

{
  "metadata" : {
    "result" : 0,
    "reason" : "Permission denied: You do not have the required privileges to run “batch”.",
    "command" : "batch",
    "version" : 1
  }
}

Have the permissions for the batch command changed? I would imagine batch would be available to any authenticated account since each command run with batch will be checked against the authenticated user's privileges.

 

[DavidN.]

Hi Keith,

Can you say exactly which calls you're batching? I've got a test almost set up here but realize I might end up testing something totally different without more information. If you can provide the exact URL of your API call, that would be ideal.

Thanks,

David Nielson
Integration Developer, cPanel

 

[kduvall]

Sure
/json-api/batch?api.version=1&command=systemloadavg&command=applist&command=version&command=myprivs

 

[SkylerB]

Hi Keith,

I confirmed that:
In more recent versions of cPanel, resellers with the same permissions as in the 11.48 versions did receive the noted Permissions Denied message.

I was able to add the :all permissions to the reseller in /var/cpanel/resellers and confirmed that the command was then accessible to the resellers with :all permissions.

At this time, I have opened up an internal inquiry for our developers to review and determine if this is an intended change or if any action should be taken on this.

 

[kduvall]

Awesome, thanks for following up on that. I could break the commands up and run them individually, but that would greatly affect responsiveness of the app. The overhead of the HTTP request is the part that takes the longest. One request usually takes around 0.5 - 1 seconds (give or take) and splitting a batch of commands into individual requests can result in something that should take <1 second taking >= 5 seconds.

 

[SkylerB]

Hi Keith,

This was indeed confirmed as a bug and has been slated to be addressed, once published it will be noted in relation to case #CPANEL-2098 in our ChangeLogs at the URL below:

Change Logs - Documentation - cPanel Documentation

Please let us know if you have any further issues in relation to this.

 

[kduvall]

Thank you so much. I'll keep an eye on the change logs.