Websocket messages are broadcast to all windows

OliveTin / OliveTin

OliveTin gives safe and simple access to predefined shell commands from a web interface.

https://olivetin.app

GNU Affero General Public License v3.0

2.38k stars 71 forks source link

Websocket messages are broadcast to all windows #471

Open hialvaro opened 2 weeks ago

hialvaro commented 2 weeks ago

When using OliveTin with multiple users (from different ACL groups even), when a user triggers an action, when the action finishes it opens the result modal for everyone. Here's the flow:

Open two browsers and login with different users
From user A run any action that opens an output modal
Once the action finishes, the modal is open for user B and user A showing the result

jamesread commented 2 days ago

Heya, I'm actually surprised that this is the first time this issue has come up - because I see this all the time when testing, and the websocket code has always worked like this.

The fundamental problem is actually that all websocket messages are sent to all clients - this is actually quite challenging to fix, as we need to track which browser window really should receive which messages.

hialvaro commented 1 day ago

I assume, as per what you state, that this does not respect ACLs at all? So all users would see the command output for any job?