Using API from inside DA plugin - without ADMIN PASS

[psycho]

Hey there,

In order to create the most easy-to-install plugin, that use the ADMIN API's to get some information I would like to know if there is an option to call to an api's from inside admin plugin without using the admin credentials (username/pass)

Is that possible?
(Using Admin password inside a pure plaintext isn't smart idea though..)

Thanks

 

[hehachris]

what is the information you want to get? may be there is another way.

 

[psycho]

what is the information you want to get? may be there is another way.

found the answer, I just needed to access to 127.0.0.1 as localhost from the api call, and not to the public ip.

thanks anyway

 

[psycho]

found the answer, I just needed to access to 127.0.0.1 as localhost from the api call, and not to the public ip.

thanks anyway

Maybe I'm wrong, when using 127.0.0.1 as the server, without giving password and only using set_login, can I login as admin? even though the user that connected is only a reseller?

Can someone give exact information?

 

[hehachris]

I dont think its possbile, otherwise it could be a big security risk.

 

[psycho]

I dont think its possbile, otherwise it could be a big security risk.

Why? It's a plugin that the admin trust and installed, it's make some sense that an installed plug-in can use API that reserved to admins without saving the admin password in plain-text like PHP scripts etc..

Do you get my point? must be a way to use all the API's even the one that limited to the admin without using the admins password -> Saving this information that what I call security risk

 

[hehachris]

Um I didn't get your point indeed. I thought what you want is to use the API locally (no matter where) without the password.

How about saving the password in a file, chown to admin, chmod 400, just like /usr/local/directadmin/conf/mysql.conf

 

[psycho]

Um I didn't get your point indeed. I thought what you want is to use the API locally (no matter where) without the password.

How about saving the password in a file, chown to admin, chmod 400, just like /usr/local/directadmin/conf/mysql.conf

and how the Plugin can read it? If the user that running the plug-in isn't the admin?

And last try to explain my point:

If the admin chosed to install a plugin it make sense that the plugin can do some actions that is written in the php code, like modifying other resellers which required admin-level access.

so the plugin is installed it's make some sense that it won't ask for the user password cause the admin trust the installed plug-in.

Understood?

Thanks for your response

 

[hehachris]

and how the Plugin can read it? If the user that running the plug-in isn't the admin?

Use a C change root wrapper to read it.

 

[psycho]

Can someone from The DA Team to response please with an offical answer?

Thanks