According to this [1] check only logged in users are able to get recordings (user session can be logged is via secureHash or user/password or LDAP etc.) This [2] check was rewritten not to allow access to someone else recordings
Would appreciate any additional testing on this demo will be updated as soon as new SNAPSHOT will be ready [1] https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L125 [2] https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L89 On Tue, Jul 26, 2016 at 12:50 PM, seba.wag...@gmail.com < seba.wag...@gmail.com> wrote: > Are you really sure the recording is private? > > Cause only if it has an owner + is private it will validate it. If it's > public, then you just need a valid login session token. > > But seems like you can also access it even without a valid session token ? > > Thanks, > Sebastian > > 2016-07-26 17:25 GMT+12:00 Maxim Solodovnik <solomax...@gmail.com>: > >> https://issues.apache.org/jira/browse/OPENMEETINGS-1438 >> >> On Tue, Jul 26, 2016 at 12:00 PM, Maxim Solodovnik <solomax...@gmail.com> >> wrote: >> >>> Seems to be reproducible :(((( >>> I'm going to investigate/fix it ASAP, additionally 3.1.2 release will be >>> postponed to have this fix >>> Could you please create JIRA issue? >>> >>> On Mon, Jul 25, 2016 at 6:48 PM, Andre Wruszczak <wruszc...@web.de> >>> wrote: >>> >>>> Ah! Thanks for the source-link. >>>> >>>> Maybe the OwnerId or GroupId is always null? >>>> >>>> Hmm.. >>>> >>>> >>>> >>>> >>>> >>>> *Von:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Gesendet:* Monday, July 25, 2016 4:44 AM >>>> *An:* Openmeetings user-list <user@openmeetings.apache.org> >>>> *Betreff:* Re: Private Recordings accesible to all Users! >>>> >>>> >>>> >>>> Hello Andre, >>>> >>>> >>>> >>>> actually permissions are being checked [1] >>>> >>>> I'll double-check this today (I hope I'll have enough time) >>>> >>>> >>>> >>>> [1] >>>> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86 >>>> >>>> >>>> >>>> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wruszc...@web.de> >>>> wrote: >>>> >>>> Dear Openmeetings-Dev-Team, >>>> >>>> >>>> >>>> I have yet another question. >>>> >>>> >>>> >>>> Is it possible to force userid validation for recordings? >>>> Maybe because my browser is storing my sessionID, but when I switch >>>> users, all of them can see the recordings of other people if they try the >>>> url : >>>> http://localhost:5080/openmeetings/recordings/mp4/47 >>>> ->Anyone logged in can get access to all recordings if they are >>>> tenacious enough to try all the numbers. >>>> >>>> >>>> >>>> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1) >>>> >>>> >>>> >>>> With lots of regards, >>>> >>>> Andre >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > > > -- > Sebastian Wagner > https://twitter.com/#!/dead_lock > seba.wag...@gmail.com > -- WBR Maxim aka solomax
