Problem with permissions for showbw API call
When attempting to use the WHM API v1 to obtain bandwidth information the API returns an empty array unless the token is granted Everything/All Features permissions. This is despite there being a specific show-bandwidth permission available.
I'm trying to use the API remotely with the root account, non-expiring token, constrained to a specific IP address.
I haven't been able to find any other reports of this problem. Does anyone have any suggestions please, or could this be a bug?
-
Hey there! I setup a test environment to perform this work and I wasn't able to reproduce the issue. I did make sure to only include the "Initial Privileges" and "Account Information" boxes in the token so it was properly limited.
I used the curl option for simpler testing than using it inside a script of some sort, with this code:
curl -H 'Authorization: whm root:TOKENGOESHERE' 'https://host.domain.com:2087/json-api/showbw?api.version=1'
and got the following result I expected:
{"data":{"reseller":"root","acct":[{"owner":"root","totalbytes":619359201,"bwlimited":0,"bwusage":[{"deleted":0,"usage":"618748202","domain":"domain.com"}],"deleted":0,"limit":"unlimited","reseller":0,"user":"username","maindomain":"domain.com"},{"bwusage":[{"domain":"domain.com","deleted":0,"usage":"1200463337"}],"deleted":0,"totalbytes":1200463337,"owner":"root","bwlimited":0,"limit":"unlimited","user":"username","maindomain":"domain.com","reseller":0},{"limit":"unlimited","reseller":0,"maindomain":"domain.com","user":"username","bwlimited":0,"owner":"root","totalbytes":10822414,"bwusage":[{"domain":"domain.com","usage":0,"deleted":1},{"usage":"10260646","deleted":0,"domain":"domain.com"},{"deleted":1,"usage":"184916","domain":"addonapi.domain.com"},{"deleted":0,"usage":0,"domain":"randomaddontest.com"},{"usage":"198651","deleted":0,"domain":"randomaddontest.com.domain.com"}],"deleted":0}],"totalused":"1830644952","month":2,"year":2024},"metadata":{"reason":"OK","command":"showbw","result":1,"version":1}}[root@10-2-35-26 ~]#
If you'd like to create a ticket we could do some more testing directly in your environment to see if we could reproduce this on your machine.
0 -
Thanks for taking the time to try and recreate the problem, I am using a PHP script but took your advice to keep it simple with curl but still got any empty result
{"data":{"totalused":0,"acct":[],"reseller":"root","year":2024,"month":2},"metadata":{"version":1,"result":1,"reason":"OK","command":"showbw"}
However, seeing that result on the command line rather than buried in my script, the word 'reseller' jumped out at me. I realised that all the accounts in my servers are owned by reseller accounts rather than root. I changed the ownership of some accounts and the API worked.
Not sure I agree with the logic that prevents a root account getting to this data but luckily I'm able to login to the API with each of the reseller accounts so I can achieve my objective with the API.
Many thanks for your help.
0 -
I'm glad I could help point you in the right direction, at least! Are you saying the call did not work on an account owned by a reseller?
0 -
That's right, not when the call is made with a root-owned token. It does work with a token generated by the reseller though.
0
Please sign in to leave a comment.
Comments
4 comments