Uploaded image for project: 'Openmeetings'
  1. Openmeetings
  2. OPENMEETINGS-1411

allowSameURLMultipleTimes parameter for secure hash is broken

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.1.2, 3.2.0, 4.0.0
    • Component/s: SOAP/REST API
    • Labels:
      None

      Description

      per user list:

      Hi,

      I detected an issue related to secureHash url and indirectly with the allowSameURLMultipleTimes when it's setted as true.

      I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn branch and disconnected from the apache svn, so I have no further updates

      SecureHash url is created with an administrator user (swCetir in the case) for an external user (moderator)

      ExternalUserDTO Json in construction
      properties.addProperty("login", 1111L);
      properties.addProperty("firstname", "moderator");
      properties.addProperty("lastname", "grabable");
      properties.addProperty("propilePictureUrl", StringUtils.EMPTY);
      properties.addProperty("email", "prueba@cetir.com");
      properties.addProperty("externalId", 1111L);
      properties.addProperty("externalType", "tipo_cetir");

      RoomOptionsDTO Json in construction
      properties.addProperty("roomId", 11L);
      properties.addProperty("moderator", Boolean.TRUE);
      properties.addProperty("showAudioVideoTest", Boolean.FALSE);
      properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE);
      properties.addProperty("recordingId", 11L);
      properties.addProperty("showNickNameDialog", Boolean.FALSE);
      properties.addProperty("allowRecording", Boolean.TRUE);

      Resulting in an url like "http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f"

      Now, the 1st time the url is called, the traces I added show the user used to check permission is administrator user (swCetir)
      DEBUG 05-26 10:33:10.095 MainService.java 311480 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] - users_id: 2
      DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Dashboard
      DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Soap
      DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Login
      DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Room
      DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - Level Soap :: [GRANTED]

      2nd and next tries, it uses external user (moderator)
      DEBUG 05-26 10:33:29.290 MainService.java 330675 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] - users_id: 3
      DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Dashboard
      DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Login
      DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Room
      DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - Level Soap :: [DENIED]

      Resulting in a popup error: "Unknown error. Please report this to the administrator. [334]"

      If allowSameURLMultipleTimes is setted as false, error shown is: "This session hash has already been used [787]", but it still checks the rights of the administrator user

      Best regards.

      Pablo Vidal Figueiras

        Attachments

          Activity

            People

            • Assignee:
              solomax Maxim Solodovnik
              Reporter:
              solomax Maxim Solodovnik
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: