You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by "Maxim Solodovnik (JIRA)" <ji...@apache.org> on 2016/05/26 12:35:12 UTC

[jira] [Resolved] (OPENMEETINGS-1411) allowSameURLMultipleTimes parameter for secure hash is broken

     [ https://issues.apache.org/jira/browse/OPENMEETINGS-1411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maxim Solodovnik resolved OPENMEETINGS-1411.
--------------------------------------------
    Resolution: Fixed

> allowSameURLMultipleTimes parameter for secure hash is broken
> -------------------------------------------------------------
>
>                 Key: OPENMEETINGS-1411
>                 URL: https://issues.apache.org/jira/browse/OPENMEETINGS-1411
>             Project: Openmeetings
>          Issue Type: Bug
>          Components: SOAP/REST API
>    Affects Versions: 3.1.1
>            Reporter: Maxim Solodovnik
>            Assignee: Maxim Solodovnik
>             Fix For: 3.1.2, 3.2.0, 4.0.0
>
>
> per user list:
> Hi,
>  
> I detected an issue related to secureHash url and indirectly with the allowSameURLMultipleTimes when it's setted as true.
>  
> I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn branch and disconnected from the apache svn, so I have no further updates
>  
> SecureHash url is created with an administrator user (swCetir in the case) for an external user (moderator)
>  
> ExternalUserDTO Json in construction
> properties.addProperty("login", 1111L);
> properties.addProperty("firstname", "moderator");
> properties.addProperty("lastname", "grabable");
> properties.addProperty("propilePictureUrl", StringUtils.EMPTY);
> properties.addProperty("email", "prueba@cetir.com");
> properties.addProperty("externalId", 1111L);
> properties.addProperty("externalType", "tipo_cetir");
>  
> RoomOptionsDTO Json in construction
> properties.addProperty("roomId", 11L);
> properties.addProperty("moderator", Boolean.TRUE);
> properties.addProperty("showAudioVideoTest", Boolean.FALSE);
> properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE);
> properties.addProperty("recordingId", 11L);
> properties.addProperty("showNickNameDialog", Boolean.FALSE);
> properties.addProperty("allowRecording", Boolean.TRUE);
>  
> Resulting in an url like "http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f"
>  
> Now, the 1st time the url is called, the traces I added show the user used to check permission is administrator user (swCetir)
> DEBUG 05-26 10:33:10.095 MainService.java 311480 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] - users_id: 2
> DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Dashboard
> DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Soap
> DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Login
> DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Room
> DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - Level Soap :: [GRANTED]
>  
> 2nd and next tries, it uses external user (moderator)
> DEBUG 05-26 10:33:29.290 MainService.java 330675 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] - users_id: 3
> DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Dashboard
> DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Login
> DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Room
> DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - Level Soap :: [DENIED]
>  
> Resulting in a popup error: "Unknown error. Please report this to the administrator. [334]"
>  
> If allowSameURLMultipleTimes is setted as false, error shown is: "This session hash has already been used [787]", but it still checks the rights of the administrator user
>  
> Best regards.
>  
>  
> Pablo Vidal Figueiras



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)