Admin API Key has access to passwords

[eduardomozart]

The TeamPass documentation states that Admins accounts has access to TeamPass configuration only, but it's possible to use the API key from "admin" user to query password items from TeamPass API. I'm using TeamPass 2.x because TeamPass 3.x branch states that TeamPass 2.x users should wait before upgrading to TeamPass 3.x.

Steps to reproduce

1. Enable API access into TeamPass settings.
2. Query a password item from TeamPass API using the user API key.

Expected behaviour

Admin only accounts shouldn't have access to password items, respecting it's access to TeamPass configuration only.

Actual behaviour

The TeamPass API item query is replied successfully with "admin" API Key.

Operating system: Linux cloud.ifantasy.com.br 3.10.0-962.3.2.lve1.5.60.el7.x86_64 #1 SMP Fri Jul 23 07:07:00 EDT 2021 x86_64

Web server: Apache

Database: 5.7.30

PHP version: 7.4.26

Teampass version: 2.1.27.36

Teampass configuration file:

'max_latest_items' => '10',
'enable_favourites' => '1',
'show_last_items' => '1',
'enable_pf_feature' => '0',
'log_connections' => '0',
'log_accessed' => '1',
'time_format' => 'H:i:s',
'date_format' => 'd/m/Y',
'duplicate_folder' => '0',
'item_duplicate_in_same_folder' => '0',
'duplicate_item' => '0',
'number_of_used_pw' => '3',
'manager_edit' => '1',
'cpassman_dir' => '/home/robertinho/public_html/teampass',
'cpassman_url' => 'https://<anonym_url>
'favicon' => 'https://<anonym_url>/favicon.ico',
'path_to_upload_folder' => '/home/robertinho/public_html/teampass/upload',
'url_to_upload_folder' => 'https://<anonym_url>/upload',
'path_to_files_folder' => '/home/robertinho/public_html/teampass/files',
'url_to_files_folder' => 'https://<anonym_url>/files',
'activate_expiration' => '0',
'pw_life_duration' => '0',
'maintenance_mode' => '0',
'enable_sts' => '0',
'encryptClientServer' => '1',
'cpassman_version' => '2.1.27',
'ldap_mode' => '0',
'ldap_type' => '0',
'ldap_suffix' => '0',
'ldap_domain_dn' => '0',
'ldap_domain_controler' => '0',
'ldap_user_attribute' => '0',
'ldap_ssl' => '0',
'ldap_tls' => '0',
'ldap_elusers' => '0',
'ldap_search_base' => '0',
'ldap_port' => '389',
'richtext' => '0',
'allow_print' => '0',
'roles_allowed_to_print' => '0',
'show_description' => '1',
'anyone_can_modify' => '0',
'anyone_can_modify_bydefault' => '0',
'nb_bad_authentication' => '0',
'utf8_enabled' => '1',
'restricted_to' => '0',
'restricted_to_roles' => '0',
'enable_send_email_on_user_login' => '0',
'enable_user_can_create_folders' => '1',
'insert_manual_entry_item_history' => '0',
'enable_kb' => '0',
'enable_email_notification_on_item_shown' => '0',
'enable_email_notification_on_user_pw_change' => '0',
'custom_logo' => '',
'custom_login_text' => '',
'default_language' => 'portuguese_br',
'send_stats' => '0',
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
'send_stats_time' => '1633889212',
'get_tp_info' => '1',
'send_mail_on_user_login' => '0',
'sending_emails' => '0',
'nb_items_by_query' => 'auto',
'enable_delete_after_consultation' => '0',
'enable_personal_saltkey_cookie' => '0',
'personal_saltkey_cookie_duration' => '31',
'email_smtp_server' => '',
'email_smtp_auth' => '',
'email_auth_username' => '',
'email_auth_pwd' => '<removed>'
'email_port' => '',
'email_security' => '',
'email_server_url' => '',
'email_from' => '',
'email_from_name' => '',
'pwd_maximum_length' => '40',
'google_authentication' => '0',
'delay_item_edition' => '0',
'allow_import' => '0',
'proxy_ip' => '',
'proxy_port' => '',
'upload_maxfilesize' => '20mb',
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
'upload_imagesext' => 'jpg,jpeg,gif,png',
'upload_pkgext' => '7z,gz,rar,tar,zip',
'upload_otherext' => 'cfg,exe,pem,sql,xml',
'upload_imageresize_options' => '1',
'upload_imageresize_width' => '800',
'upload_imageresize_height' => '600',
'upload_imageresize_quality' => '90',
'use_md5_password_as_salt' => '0',
'ga_website_name' => 'TeamPass for ChangeMe',
'api' => '1',
'subfolder_rights_as_parent' => '1',
'show_only_accessible_folders' => '0',
'enable_suggestion' => '0',
'otv_expiration_period' => '7',
'default_session_expiration_time' => '60',
'duo' => '0',
'enable_server_password_change' => '0',
'ldap_object_class' => '0',
'bck_script_path' => '/home/robertinho/public_html/teampass/backups',
'bck_script_filename' => 'bck_teampass',
'syslog_enable' => '0',
'syslog_host' => 'localhost',
'syslog_port' => '514',
'manager_move_item' => '0',
'create_item_without_password' => '0',
'otv_is_enabled' => '0',
'agses_authentication_enabled' => '0',
'item_extra_fields' => '0',
'saltkey_ante_2127' => 'none',
'migration_to_2127' => 'done',
'files_with_defuse' => 'done',
'timezone' => 'America/Sao_Paulo',
'enable_attachment_encryption' => '1',
'personal_saltkey_security_level' => '50',
'ldap_new_user_is_administrated_by' => '0',
'disable_show_forgot_pwd_link' => '0',
'offline_key_level' => '0',
'enable_http_request_login' => '0',
'ldap_and_local_authentication' => '0',
'secure_display_image' => '1',
'upload_zero_byte_file' => '0',
'upload_all_extensions_file' => '0',
'bck_script_passkey' => '<removed>'
'admin_2fa_required' => '1',
'can_create_root_folder' => '1',

Updated from an older Teampass or fresh install: Fresh install

Client configuration

Browser: Chrome - 96.0.4664.93

Operating system: Windows Server 2008 R2 / 7 - 64bits

Logs

Web server error log

None.

Log from the web-browser developer console (CTRL + SHIFT + i)

None.

[eduardomozart]

I decided to close this issue to investigate it further through issue #2765