jitsi icon indicating copy to clipboard operation
jitsi copied to clipboard
verified publisher icon nextcloud

App link grants moderator rights to anyone

Open normen opened this issue 3 years ago • 5 comments

Hi,

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior? Given that there is no JWT token in the URL it seems that this lowers the security for moderator connections? An additional issue is that anyone knowing about this can "upgrade" their internal User link to a Moderator link..

The internal links from Jitsi yield user rights, which is what IMO the links from the Nextcloud-Jitsi plugin should do as well..?

NextCloud Link (No Token!) https://<my-cloud.com>/apps/jitsi/rooms/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RoomName -> Moderator rights (No NextCloud login needed!)

Jitsi Link (No Token) https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -> User rights

Jitsi Link + Token https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX?jwt=XXXXXXXXXXXXXX.. -> Moderator rights

Thanks for this plugin & the attention!

Edit: Note that I have "guest" access enabled in Jitsi via JWT_ALLOW_EMPTY=1 and ENABLE_GUESTS=1 to allow user level access.

Edit2: Running on NextCloud 24, PHP-FPM Docker version

normen avatar Nov 13 '22 00:11 normen

I'm also struggling with this, anybody can kick everyone out and take over the room, is there a way to share the meeting URL without granting moderator rights?

luminous706 avatar Jan 25 '23 18:01 luminous706

You can use the URL that Jitsi itself gives you (in the meeting), that one doesn't have mod rights. But as I said, if the user knows about this they can elevate their rights by changing the URL.

normen avatar Jan 26 '23 08:01 normen

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior?

Currently, this is the expected behaviour. Sharing rooms and permission management are planned for future releases. But this may still take a while.

weeman1337 avatar Jan 26 '23 09:01 weeman1337

Thanks for the answer. In the absence of actual user management it would be nice to at least use a different uuid for the Nextcloud chat URL so that one can use the actual Jitsi URL as a user URL without the danger of somebody elevating their rights by changing the URL prefix.

normen avatar Feb 04 '23 10:02 normen