tracker issue : CF-3926238

select a category, or use search below
(searches all categories and all time range)

[ANeff] Bug for: <cfloginuser> breaks Admin API access

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)

Created: 01/23/2015

Components: Security

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final / CF11 Update7

Priority/Frequency: Major / Some users will encounter

Locale/System: ALL / Platforms All

Vote Count: 1

Listed in the version Issues Fixed doc
<cfloginuser> breaks Admin API access

Repro steps:

1) Run this:

  <cfloginuser name="foo" password="bar" roles="foobar">
  function myFunction() {
	  adminAPI = new CFIDE.adminapi.administrator();
	  loginResult = adminAPI.login(thePassword, theUsername);
	  try {
		  obj = new CFIDE.adminapi.servermonitoring();
		  activeRequests = obj.getAllActiveRequests();
	  catch(any e) {
<cfset myFunction()>

Expected result:
true success! 
true success! 

Actual result:
true The current user is not authorized to invoke this method.
true success! 

- If user is not logged-in via <cflogin> framework, then Admin API calls succeed.
- If user is logged-in via <cflogin> framework, then Admin API calls fail.

<cfloginuser> should not be breaking Admin API access.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3926238

External Customer Info:
External Company:  
External Customer Name: Aaron
External Customer Email:



Related ticket: CF-3546323
Comment by External U.
8833 | January 23, 2015 02:22:06 AM GMT
Simply try making an Admin API call within a <cflogin>-protected page. It will fail w/ the above error.
Comment by External U.
8834 | January 27, 2015 12:19:05 AM GMT
I see this is marked Fixed. Awesome! Looking forward to the fix =) Thanks!, -Aaron
Comment by External U.
8835 | March 09, 2015 09:54:45 AM GMT
Fix verified and will be available in the next ColdFusion version.
Comment by S P.
8836 | June 20, 2015 03:37:53 AM GMT
Hi Preethi, I see "Fixed In Build: CF11 Update7" This ticket isn't listed in the CF11 Update 7 bugs fixed PDF ( Is this really fixed in CF11 Update 7? If not, what is it fixed in? If it is, then it should be listed in that PDF. Thanks!, -Aaron
Comment by External U.
8837 | December 05, 2015 06:28:18 AM GMT
*bump* The "Fixed In Build" says "CF11 Update7", so why isn't it listed here: Is this ticket not fixed in "CF11 Update7"? Thanks!, -Aaron
Comment by External U.
8838 | February 25, 2016 09:52:22 PM GMT
Verified this is fixed in CF11 Update 7 (build 11,0,07,296330). Adobe, this ticket needs added to Thanks!, -Aaron
Comment by External U.
8839 | February 25, 2016 10:44:17 PM GMT
Hi Aaron, Thanks for letting us know about this. Will add it to the doc and let you know. Regards, Preethi
Comment by S P.
8840 | February 26, 2016 12:01:48 AM GMT
Hi Preethi, You're very welcome and thanks! -Aaron
Comment by External U.
8841 | February 26, 2016 12:14:12 AM GMT
Hi Aaron, The above ticket must be listed in the doc link now. Thanks, Preethi
Comment by S P.
8842 | February 26, 2016 01:32:15 AM GMT
Hi Preethi, Yes, I see CF-3926238, and the following revision note, in the doc now: ----------- Revision 26 Feb, 2016: bug#CF-3926238 added to the fixed bugs list. ----------- Thanks for adding that revision note! -Aaron
Comment by External U.
8843 | March 11, 2016 02:05:57 PM GMT
Hi Adobe, This ticket wasn't properly fixed and needs re-opened b/c cfloginuser still breaks some Admin API access. Confirmed in CF 11,0,07,296330 and 2016.0.01.298513. Issue was fixed for servermonitoring.cfc's getAllActiveRequests() and scheduler.cfc's getTasks(). Good. Issue was not fixed for datasource.cfc's getDatasources() and runtime.cfc's clearTrustedCache(). Bad. Issue should be fixed for ALL Admin API methods. Not sure why I need to say that.. Repro: <cfscript> theUsername = "";//specify Admin API username thePassword = "";//specify Admin API password theDSN = "";//specify a DSN cflogout(); cflogin() {cfloginuser(name="foo", password="bar", roles="foobar");}//cfloginuser still breaks some Admin API access new CFIDE.adminapi.administrator().login(thePassword, theUsername); obj = new CFIDE.adminapi.servermonitoring(); r = obj.getAllActiveRequests();//works, good writeDump(r); obj = new CFIDE.adminapi.scheduler(); r = obj.getTasks();//works, good writeDump(r); obj = new CFIDE.adminapi.datasource(); r = obj.getDatasources(theDSN);//throws$UnauthenticatedCredentialsException, bad writeDump(r); //Related URL: obj = new CFIDE.adminapi.runtime(); obj.clearTrustedCache(expandPath("./mypage.cfm"));//throws$UnauthenticatedCredentialsException, bad </cfscript> Thanks!, -Aaron
Comment by Aaron N.
8844 | January 10, 2017 06:09:43 AM GMT
I've run into this with a client. With the latest patches installed
Vote by Wil G.
8847 | January 10, 2017 05:13:24 PM GMT
This is still not working in this scenario either. <cfscript> adminUser = "admin"; adminPW = "password"; thefile = "/absolute/path/to/file.cfm"; adminObj = createObject("component","cfide.adminapi.administrator"); adminObj.login(adminPW, adminUser); // if I dump the return I will see the boolean is true meaning the login worked. adminRuntime = createObject("component","cfide.adminapi.runtime"); // yet on this line we will get the$UnauthenticatedCredentialsException error. adminRuntime.clearTrustedCache(thefile); </cfscript>
Comment by Wil G.
8845 | January 10, 2017 05:17:38 PM GMT
*bump* Should we follow-up in another year? Is Adobe going to look into this? Thanks!, -Aaron
Comment by Aaron N.
8846 | January 02, 2018 07:59:50 PM GMT