Unauthorized method - Possible bug?

imperyal · 2024-06-28 23:36:02

Hello,

We updated to mORMot v2 recently, very smooth transition so far.

Today, when deploying our first server using version 2 we started having this error saying "Unauthorized method" on every interface method call. After some debugging I found this code:

unit mormot.rest.server;
(...)
procedure TRestServerUriContext.InternalExecuteSoaByInterfaceComputeResult;
(...)
  if (Session > CONST_AUTHENTICATION_NOT_USED) and
     (ServiceExecution <> nil) and
     ((SessionGroup <= 0) or
      (SessionGroup > 255) or
      (byte(SessionGroup - 1) in ServiceExecution.Denied)) then
  begin
    Error('Unauthorized method', HTTP_NOTALLOWED);
    exit;
  end;

Looks like I will get an error if I have more then 255 Groups (more precisely if I have Groups with ID greater then 255).

Is this by design?

I changed the 255 to 2000 to patch my server and it seems to work ok, but I don't know if this causes adverse side effects... I would remove the SessionGroup > 255 condition if possible...

Our use case requires lots of user groups, more than a thousand...

Please advise.
Thank you!

Last edited by imperyal (2024-06-28 23:38:18)

ab · 2024-06-29 08:56:10

Thanks a lot for debugging the problem.

This is a pascal limitation: a set is limited to 256 items (32 bytes).
So it is as expected. You hit this limitation.

In mORMot 1, there was no such check, so "in ServiceExecution.Denied" was always false, so this group was always allowed.
In mORMOt 2, the check disallowed groups which could not be check against denial...
We thought it was better to disallow, instead of allowing silently some groups where was in fact denied... for obvious security reasons...

      // fExecution[].Denied set is able to store IDs up to 256 only

We will need to switch from a set to a dynamic array, I guess, in this code.

BTW, do you use Allow/Deny of group per service, in your project?

imperyal · 2024-06-30 22:14:05

Hello and thank you once again for your prompt reply @ab.

We do not use Allow/Deny of group por service.. All groups have full access to all services.

We use groups to separate out clients, each client has its own group, the users of each group share session data when they are logged in.

I don’t know if that is the best approach, but it has been working great for us so far.

Last edited by imperyal (2024-06-30 22:17:14)

ab · 2024-07-01 06:54:29

It is a good approach, it depends on your business logic model.

I am fixing the issue - but in the meanwhile you could just get rid of the (SessionGroup > 255) line.

Edit:
I have re-implemented the authorization to allow group IDs > 255.
It will also fix your issue.
https://github.com/synopse/mORMot2/commit/d359a16a

imperyal · 2024-07-19 10:29:03

Hello, sorry for the late reply. The problem is solved.

Once again, thank you.

mORMot Open Source

#1 2024-06-28 23:36:02

Unauthorized method - Possible bug?

#2 2024-06-29 08:56:10

Re: Unauthorized method - Possible bug?

#3 2024-06-30 22:14:05

Re: Unauthorized method - Possible bug?

#4 2024-07-01 06:54:29

Re: Unauthorized method - Possible bug?

#5 2024-07-19 10:29:03

Re: Unauthorized method - Possible bug?

Board footer