search

nextcloud / jitsi

Nextcloud Jitsi Integration
GNU Affero General Public License v3.0
28 stars 9 forks source link

App link grants moderator rights to anyone #15

Open normen opened 1 year ago

normen commented 1 year ago

Hi,

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior? Given that there is no JWT token in the URL it seems that this lowers the security for moderator connections? An additional issue is that anyone knowing about this can "upgrade" their internal User link to a Moderator link..

The internal links from Jitsi yield user rights, which is what IMO the links from the Nextcloud-Jitsi plugin should do as well..?

NextCloud Link (No Token!) https://<my-cloud.com>/apps/jitsi/rooms/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RoomName -> Moderator rights (No NextCloud login needed!)

Jitsi Link (No Token) https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -> User rights

Jitsi Link + Token https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX?jwt=XXXXXXXXXXXXXX.. -> Moderator rights

Thanks for this plugin & the attention!

Edit: Note that I have "guest" access enabled in Jitsi via JWT_ALLOW_EMPTY=1 and ENABLE_GUESTS=1 to allow user level access.

Edit2: Running on NextCloud 24, PHP-FPM Docker version

luminous706 commented 1 year ago

I'm also struggling with this, anybody can kick everyone out and take over the room, is there a way to share the meeting URL without granting moderator rights?

normen commented 1 year ago

You can use the URL that Jitsi itself gives you (in the meeting), that one doesn't have mod rights. But as I said, if the user knows about this they can elevate their rights by changing the URL.

weeman1337 commented 1 year ago

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior?

Currently, this is the expected behaviour. Sharing rooms and permission management are planned for future releases. But this may still take a while.

normen commented 1 year ago

Thanks for the answer. In the absence of actual user management it would be nice to at least use a different uuid for the Nextcloud chat URL so that one can use the actual Jitsi URL as a user URL without the danger of somebody elevating their rights by changing the URL prefix.