[OPENMEETINGS-1411] allowSameURLMultipleTimes parameter for secure hash is broken - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.1
Fix Version/s: 3.1.2, 3.2.0, 4.0.0
Component/s: SOAP/REST API
Labels:
None

Description

per user list:

Hi,

I detected an issue related to secureHash url and indirectly with the allowSameURLMultipleTimes when it's setted as true.

I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn branch and disconnected from the apache svn, so I have no further updates

SecureHash url is created with an administrator user (swCetir in the case) for an external user (moderator)

ExternalUserDTO Json in construction
properties.addProperty("login", 1111L);
properties.addProperty("firstname", "moderator");
properties.addProperty("lastname", "grabable");
properties.addProperty("propilePictureUrl", StringUtils.EMPTY);
properties.addProperty("email", "prueba@cetir.com");
properties.addProperty("externalId", 1111L);
properties.addProperty("externalType", "tipo_cetir");

RoomOptionsDTO Json in construction
properties.addProperty("roomId", 11L);
properties.addProperty("moderator", Boolean.TRUE);
properties.addProperty("showAudioVideoTest", Boolean.FALSE);
properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE);
properties.addProperty("recordingId", 11L);
properties.addProperty("showNickNameDialog", Boolean.FALSE);
properties.addProperty("allowRecording", Boolean.TRUE);

Resulting in an url like "http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f"

Now, the 1st time the url is called, the traces I added show the user used to check permission is administrator user (swCetir)
DEBUG 05-26 10:33:10.095 MainService.java 311480 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] - users_id: 2
DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Dashboard
DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Soap
DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Login
DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Room
DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - Level Soap :: [GRANTED]

2nd and next tries, it uses external user (moderator)
DEBUG 05-26 10:33:29.290 MainService.java 330675 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] - users_id: 3
DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Dashboard
DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Login
DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Room
DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - Level Soap :: [DENIED]

Resulting in a popup error: "Unknown error. Please report this to the administrator. [334]"

If allowSameURLMultipleTimes is setted as false, error shown is: "This session hash has already been used [787]", but it still checks the rights of the administrator user

Best regards.

Pablo Vidal Figueiras

Attachments

Activity

People

Assignee:: Maxim Solodovnik

Reporter:: Maxim Solodovnik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/May/16 12:29

Updated:: 13/Jul/16 06:12

Resolved:: 26/May/16 12:34