GetUser can Retrieve Other Users Info?

Mar 6, 2009 at 3:02 AM
Edited Mar 6, 2009 at 3:03 AM
I am working on a WPF applicaiton that will need to derive a users role information from an IWeb service in order to display role based content. I hope that I'm misunderstanding something. It appears thast users would have the ability to get each others information! For the sake of example, letys say that I allow the registered users role to execute the GetUsers function. Am I correct in assuming that someone could easily sniff their own outbound authentication header and simply substitute someone elses username? If so, I would be doing an unacceptably poor job of protecting my users personal information.

I threw together a quick function that would return only role membership for a given user because I am not concerned about user a determining role membership for user b. Here is the code. For some reason, it is returning an empty array. I was hoping that someone might be able to steer me in the right direction.

 

Imports Microsoft.VisualBasic
Imports System.Collections.Generic
Imports System.Web.Services.Protocols
Imports System.Web.Services

Namespace DotNetNuke.Modules.IWeb

    Public Class Role
        ' local property declarations
        Public RoleName As String

    End Class

    Partial Public Class WebService

        <WebMethod(Description:=" GetSurveys *DotNetNuke* |IWEB Core| #IWEB Misc# !Portal! "), SoapHeader("IWebCredentials")> _
        Public Function GetRoles(ByVal Username As String) As List(Of Role)
            Dim RoleList As List(Of Role) = New List(Of Role)
            Dim objIWebAuthendication As New IWebAuthendication(IWebCredentials)

            If Not objIWebAuthendication.ValidAndAuthorized() Then
                Dim Role As Role = New Role
                Role.RoleName = "Not Authorized"
                RoleList.Add(Role)
                Return RoleList
            End If

            Dim objResponse As UserInfo = New UserInfo
            objResponse = IWebUser.GetUserInfo(IWebCredentials.PortalID, Username)

            Dim i As Integer

            For i = 0 To UBound(objResponse.Roles)
                Dim Role As Role = New Role
                Role.RoleName = objResponse.Roles(i).ToString
                RoleList.Add(Role)
            Next

            Return RoleList
        End Function

    End Class

End Namespace

 

Coordinator
Mar 6, 2009 at 1:07 PM
All the example IWeb code is meant to be called by administrators not users. If you allow users to call web service methods you should include additional code to determine if the user should see the information they are requesting.