Good day!
A few days ago I discovered a problem using textroom plugin.
Reading the documentation and source code, I saw that the plugin has the ability to use a token to enter the room ( "allowed" ATL).
There are requests to add and remove tokens. While testing (using POSTMAN) this feature, I saw that the "join" request does not check the list of "allowed" tokens. Anyone can join the room, even if "allowed" is on.
I read the code and saw that this check is not implemented in the function. And here's the question: is it normal? I misunderstood the implementation? or is it a flaw?
How can i achieve security using this plugin?
Thanks!