https://issues.apache.org/jira/browse/OPENMEETINGS-1411
On Thu, May 26, 2016 at 6:00 PM, Maxim Solodovnik <[email protected]> wrote: > Hello Pablo, > > secureHashes are mostly being used as one-time-hash, I'll check what is > going on in case "allowSameURLMultipleTimes" is set to true and will > write back here > > On Thu, May 26, 2016 at 4:57 PM, Pablo Vidal Figueiras < > [email protected]> wrote: > >> Hi, >> >> >> >> I detected an issue related to secureHash url and indirectly with the >> allowSameURLMultipleTimes when it's setted as true. >> >> >> >> I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn >> branch and disconnected from the apache svn, so I have no further updates >> >> >> >> SecureHash url is created with an administrator user (swCetir in the >> case) for an external user (moderator) >> >> >> >> ExternalUserDTO Json in construction >> >> properties.addProperty("login", 1111L); >> >> properties.addProperty("firstname", "moderator"); >> >> properties.addProperty("lastname", "grabable"); >> >> properties.addProperty("propilePictureUrl", StringUtils.EMPTY); >> >> properties.addProperty("email", "[email protected]"); >> >> properties.addProperty("externalId", 1111L); >> >> properties.addProperty("externalType", "tipo_cetir"); >> >> >> >> RoomOptionsDTO Json in construction >> >> properties.addProperty("roomId", 11L); >> >> properties.addProperty("moderator", Boolean.TRUE); >> >> properties.addProperty("showAudioVideoTest", Boolean.FALSE); >> >> properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE); >> >> properties.addProperty("recordingId", 11L); >> >> properties.addProperty("showNickNameDialog", Boolean.FALSE); >> >> properties.addProperty("allowRecording", Boolean.TRUE); >> >> >> >> Resulting in an url like " >> http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f >> " >> >> >> >> Now, the 1st time the url is called, the traces I added show the user >> used to check permission is administrator user (swCetir) >> >> DEBUG 05-26 10:33:10.095 MainService.java 311480 361 >> org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] >> - users_id: 2 >> >> DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - >> rights: Dashboard >> >> DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - >> rights: Soap >> >> DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - >> rights: Login >> >> DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - >> rights: Room >> >> DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - >> Level Soap :: [GRANTED] >> >> >> >> 2nd and next tries, it uses external user (moderator) >> >> DEBUG 05-26 10:33:29.290 MainService.java 330675 361 >> org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] >> - users_id: 3 >> >> DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - >> rights: Dashboard >> >> DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - >> rights: Login >> >> DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - >> rights: Room >> >> DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 >> org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - >> Level Soap :: [DENIED] >> >> >> >> Resulting in a popup error: "Unknown error. Please report this to the >> administrator. [334]" >> >> >> >> If allowSameURLMultipleTimes is setted as false, error shown is: "This >> session hash has already been used [787]", but it still checks the rights >> of the administrator user >> >> >> >> Best regards. >> >> >> >> >> >> *Pablo Vidal Figueiras* >> >> [email protected] >> >> 981926047 >> >> >> >> >> ................................................................................ >> >> >> >> *BALIDEA* >> >> *Consulting & Programming* >> >> >> >> Avda. Finisterre, 281, 1º / 15008 A Coruña >> >> Tel.: 981 93 78 76 / Fax: 981 93 78 21 / [email protected] / >> www.balidea.com >> >> >> >> ------------------------------ >> Antes de imprimir este mensaje, asegúrese de que es necesario hacerlo. >> >> Aviso Legal: La información contenida en este mensaje y sus posibles >> documentos adjuntos es privada y confidencial y está dirigida únicamente a >> su destinatario/a. Si usted no es el/la destinatario/a original de este >> mensaje, por favor elimínelo. Cualquier uso de este mensaje o sus adjuntos >> sin autorización está prohibida por ley. >> _____ >> >> Before printing this message, make sure it is really necessary. >> >> Legal Notice: The information contained in this message and its possible >> attachments are private and confidential and is intended solely for the >> addressee shown. If you are not the intended recipient of this message, >> please delete it. Any use of this message or its attachments without >> permission is prohibited by law. >> > > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
