search

hoangduit / openmeetings

Automatically exported from code.google.com/p/openmeetings
0 stars 0 forks source link

soap login #494

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I think is better if there is a category of user for soap connections that
could not login directly in openmeetings

Original issue reported on code.google.com by err...@gmail.com on 10 Jun 2008 at 7:34

GoogleCodeExporter commented 9 years ago 
?
you can only login via soap if the user you try to login via soap is of type
Administrator

Original comment by seba.wag...@gmail.com on 10 Jun 2008 at 7:38

GoogleCodeExporter commented 9 years ago 
is of type Administrator == Role Administrator

Original comment by seba.wag...@gmail.com on 10 Jun 2008 at 7:38

GoogleCodeExporter commented 9 years ago 
Yes! but a user of type administrator could login from login form and I write 
in a
file the password of an administrator. 

If the user has the role "Soap" and these users can not connect from login 
form, with
that login and password is possible do less damages. If somebody hack the 
system or
if I give a soap-user to third part.

My opinion

Original comment by err...@gmail.com on 10 Jun 2008 at 7:46

GoogleCodeExporter commented 9 years ago 
hm yes but if you got a valid soap account you are indeed able to do a lot of 
things
including deleting/add/ manage rooms and files.
And in the future you can even fully manage user-accounts and 
register/add/update
users via SOAP. So it is correct if this User is of type Administrator.

I think basically you can add a new type of User-Role Soap and say this user is 
can
not login via the web-frontend, but via SOAP, if he can do almost the same as an
Administrator via SOAP, what is the benefit from blocking him in the 
Web-Frontend?

Original comment by seba.wag...@gmail.com on 10 Jun 2008 at 8:09

GoogleCodeExporter commented 9 years ago 
A solution could be limit the possibility of soap-user.
for example the soap-user should connect only to the authorized room or the 
room that
he has created, the same for recording conference.

Original comment by err...@gmail.com on 10 Jun 2008 at 8:15

GoogleCodeExporter commented 9 years ago 
the SOAP-Role could be implemented that way, but the System would still allow
Administrator-User Role to do SOAP.

The Role-System would be then:
Administrator
SOAP-User
Moderator
User

so adding the SOAP-Role is an additional Role, but it will be still possible to 
do
the same in Administration Role.

Original comment by seba.wag...@gmail.com on 10 Jun 2008 at 8:24

GoogleCodeExporter commented 9 years ago 
This is already fixed, there is a user-type "Web-Service Only"

Original comment by seba.wag...@gmail.com on 5 Sep 2011 at 9:19