seems to be fixed On Thu, May 26, 2016 at 6:33 PM, Pablo Vidal Figueiras < [email protected]> wrote:
> Thank you Maxim ;) > > > > *Pablo Vidal Figueiras* > > [email protected] > > 981926047 > > > > > ................................................................................ > > > > *BALIDEA* > > *Consulting & Programming* > > > > Avda. Finisterre, 281, 1º / 15008 A Coruña > > Tel.: 981 93 78 76 / Fax: 981 93 78 21 / [email protected] / > www.balidea.com > > > > *De:* Maxim Solodovnik [mailto:[email protected]] > *Enviado el:* jueves, 26 de mayo de 2016 14:30 > *Para:* Openmeetings user-list <[email protected]> > *CC:* Bruno Rubio Gayo <[email protected]> > *Asunto:* Re: SecureHash issue > > > > https://issues.apache.org/jira/browse/OPENMEETINGS-1411 > > > > On Thu, May 26, 2016 at 6:00 PM, Maxim Solodovnik <[email protected]> > wrote: > > Hello Pablo, > > > > secureHashes are mostly being used as one-time-hash, I'll check what is > going on in case "allowSameURLMultipleTimes" is set to true and will > write back here > > > > On Thu, May 26, 2016 at 4:57 PM, Pablo Vidal Figueiras < > [email protected]> wrote: > > Hi, > > > > I detected an issue related to secureHash url and indirectly with the > allowSameURLMultipleTimes when it's setted as true. > > > > I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn > branch and disconnected from the apache svn, so I have no further updates > > > > SecureHash url is created with an administrator user (swCetir in the > case) for an external user (moderator) > > > > ExternalUserDTO Json in construction > > properties.addProperty("login", 1111L); > > properties.addProperty("firstname", "moderator"); > > properties.addProperty("lastname", "grabable"); > > properties.addProperty("propilePictureUrl", StringUtils.EMPTY); > > properties.addProperty("email", "[email protected]"); > > properties.addProperty("externalId", 1111L); > > properties.addProperty("externalType", "tipo_cetir"); > > > > RoomOptionsDTO Json in construction > > properties.addProperty("roomId", 11L); > > properties.addProperty("moderator", Boolean.TRUE); > > properties.addProperty("showAudioVideoTest", Boolean.FALSE); > > properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE); > > properties.addProperty("recordingId", 11L); > > properties.addProperty("showNickNameDialog", Boolean.FALSE); > > properties.addProperty("allowRecording", Boolean.TRUE); > > > > Resulting in an url like " > http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f > " > > > > Now, the 1st time the url is called, the traces I added show the user > used to check permission is administrator user (swCetir) > > DEBUG 05-26 10:33:10.095 MainService.java 311480 361 > org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] > - users_id: 2 > > DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - > rights: Dashboard > > DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - > rights: Soap > > DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - > rights: Login > > DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - > rights: Room > > DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - > Level Soap :: [GRANTED] > > > > 2nd and next tries, it uses external user (moderator) > > DEBUG 05-26 10:33:29.290 MainService.java 330675 361 > org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] > - users_id: 3 > > DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - > rights: Dashboard > > DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - > rights: Login > > DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - > rights: Room > > DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 > org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - > Level Soap :: [DENIED] > > > > Resulting in a popup error: "Unknown error. Please report this to the > administrator. [334]" > > > > If allowSameURLMultipleTimes is setted as false, error shown is: "This > session hash has already been used [787]", but it still checks the rights > of the administrator user > > > > Best regards. > > > > > > *Pablo Vidal Figueiras* > > [email protected] > > 981926047 > > > > > ................................................................................ > > > > *BALIDEA* > > *Consulting & Programming* > > > > Avda. Finisterre, 281, 1º / 15008 A Coruña > > Tel.: 981 93 78 76 / Fax: 981 93 78 21 / [email protected] / > www.balidea.com > > > > > ------------------------------ > > Antes de imprimir este mensaje, asegúrese de que es necesario hacerlo. > > Aviso Legal: La información contenida en este mensaje y sus posibles > documentos adjuntos es privada y confidencial y está dirigida únicamente a > su destinatario/a. Si usted no es el/la destinatario/a original de este > mensaje, por favor elimínelo. Cualquier uso de este mensaje o sus adjuntos > sin autorización está prohibida por ley. > _____ > > Before printing this message, make sure it is really necessary. > > Legal Notice: The information contained in this message and its possible > attachments are private and confidential and is intended solely for the > addressee shown. If you are not the intended recipient of this message, > please delete it. Any use of this message or its attachments without > permission is prohibited by law. > > > > > > -- > > WBR > Maxim aka solomax > > > > > > -- > > WBR > Maxim aka solomax > > ------------------------------ > Antes de imprimir este mensaje, asegúrese de que es necesario hacerlo. > > Aviso Legal: La información contenida en este mensaje y sus posibles > documentos adjuntos es privada y confidencial y está dirigida únicamente a > su destinatario/a. Si usted no es el/la destinatario/a original de este > mensaje, por favor elimínelo. Cualquier uso de este mensaje o sus adjuntos > sin autorización está prohibida por ley. > _____ > > Before printing this message, make sure it is really necessary. > > Legal Notice: The information contained in this message and its possible > attachments are private and confidential and is intended solely for the > addressee shown. If you are not the intended recipient of this message, > please delete it. Any use of this message or its attachments without > permission is prohibited by law. > -- WBR Maxim aka solomax
