Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.1
-
None
Description
per user list:
Hi,
I detected an issue related to secureHash url and indirectly with the allowSameURLMultipleTimes when it's setted as true.
I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn branch and disconnected from the apache svn, so I have no further updates
SecureHash url is created with an administrator user (swCetir in the case) for an external user (moderator)
ExternalUserDTO Json in construction
properties.addProperty("login", 1111L);
properties.addProperty("firstname", "moderator");
properties.addProperty("lastname", "grabable");
properties.addProperty("propilePictureUrl", StringUtils.EMPTY);
properties.addProperty("email", "prueba@cetir.com");
properties.addProperty("externalId", 1111L);
properties.addProperty("externalType", "tipo_cetir");
RoomOptionsDTO Json in construction
properties.addProperty("roomId", 11L);
properties.addProperty("moderator", Boolean.TRUE);
properties.addProperty("showAudioVideoTest", Boolean.FALSE);
properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE);
properties.addProperty("recordingId", 11L);
properties.addProperty("showNickNameDialog", Boolean.FALSE);
properties.addProperty("allowRecording", Boolean.TRUE);
Resulting in an url like "http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f"
Now, the 1st time the url is called, the traces I added show the user used to check permission is administrator user (swCetir)
DEBUG 05-26 10:33:10.095 MainService.java 311480 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] - users_id: 2
DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Dashboard
DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Soap
DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Login
DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Room
DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - Level Soap :: [GRANTED]
2nd and next tries, it uses external user (moderator)
DEBUG 05-26 10:33:29.290 MainService.java 330675 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] - users_id: 3
DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Dashboard
DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Login
DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Room
DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - Level Soap :: [DENIED]
Resulting in a popup error: "Unknown error. Please report this to the administrator. [334]"
If allowSameURLMultipleTimes is setted as false, error shown is: "This session hash has already been used [787]", but it still checks the rights of the administrator user
Best regards.
Pablo Vidal Figueiras