how the "allowed" check is implemented in the textroom plugin
39 views
Skip to first unread message
Mitox Tech
Sep 1, 2021, 3:47:28 AM9/1/21
to meetecho-janus
Good day!
A few days ago I discovered a problem using textroom plugin.
Reading the documentation and source code, I saw that the plugin has the ability to use a token to enter the room ( "allowed" ATL).
There are requests to add and remove tokens. While testing (using POSTMAN) this feature, I saw that the "join" request does not check the list of "allowed" tokens. Anyone can join the room, even if "allowed" is on.
I read the code and saw that this check is not implemented in the function. And here's the question: is it normal? I misunderstood the implementation? or is it a flaw?
How can i achieve security using this plugin?
Thanks!
Lorenzo Miniero
Sep 1, 2021, 4:28:17 AM9/1/21
to meetecho-janus
You may be right: I remember we added the ACL stuff to multiple plugins at the same time, and so we may have missed some bits in the TextRoom plugin. I'll check later if that's the case.
L.
Lorenzo Miniero
Sep 1, 2021, 4:57:38 AM9/1/21
to meetecho-janus
Please test this PR and let us know if it works as expected for you: I made a couple of tests and it seems to do the trick for me.
Reply all
Reply to author
Forward
0 new messages