Expand my Community achievements bar.

SOLVED

Security glitch in FileShare pod

Avatar

Level 3
In the FileShare pod, which logged in as a guest, the upload
and save file buttons are correctly disabled, however, double
clicking on a file still allows the "guest" user to download
it.
1 Accepted Solution

Avatar

Correct answer by
Former Community Member
Hi Rick,



Yes caching could be one option.

But here it seems you have autopromote=true turned on for
your room. So, any user who comes in as guest is getting
autopromoted to presenter role and is getting all controls. You can
change this property either through dev console by logging into
your room or through programmatically in your application by
changing RoomSettings.



LoginDialog.mxml actually has code that sets autopromote=true
and so you are seeing full control when you are going in as guest
since you are getting promoted to presenter role.



Thanks

Hironmay Basu

View solution in original post

6 Replies

Avatar

Former Community Member
Hi Rick,



As a guest, you are allowed to download the file. You can do
this either by double clicking or by selecting the file and
clicking on 'Save Selected File'. But you can upload or delete a
file only if you have a host or presenter role ( i.e. userole 50 or
above)



FileShare Pod is added in the example LoginDialog.



Thanks

Hironmay

Avatar

Level 3
Thanks for the info. In that case, the bug is actually the
opposite - the "Save Selected File" button in the FileShare pod
should be enabled when a guest is logged in, but it is not. ;-)

Avatar

Former Community Member
Hi Rick,



The 'Save Selected File' button is enabled only when you
select a uploaded file ( be it for user or for host/publisher).

When you go into a room as a user , it will be disabled by
default , but if you single click on any uploaded file and select
it, you will see it enabled.



Thanks

Hironmay Basu

Avatar

Level 3
Hmm. It seems that if I log in as guest now, I get full
control. Is there some type of authentication caching (e.g.
cookie/session not expiring) occurring?

Avatar

Correct answer by
Former Community Member
Hi Rick,



Yes caching could be one option.

But here it seems you have autopromote=true turned on for
your room. So, any user who comes in as guest is getting
autopromoted to presenter role and is getting all controls. You can
change this property either through dev console by logging into
your room or through programmatically in your application by
changing RoomSettings.



LoginDialog.mxml actually has code that sets autopromote=true
and so you are seeing full control when you are going in as guest
since you are getting promoted to presenter role.



Thanks

Hironmay Basu

Avatar

Level 3
Perfect! Thanks for clearing that up. There's a lot to learn
with Cocomo, that's for sure!



I'm really impressed with what I've seen thus far.
The following has evaluated to null or missing: ==> liqladmin("SELECT id, value FROM metrics WHERE id = 'net_accepted_solutions' and user.id = '${acceptedAnswer.author.id}'").data.items [in template "analytics-container" at line 83, column 41] ---- Tip: It's the step after the last dot that caused this error, not those before it. ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: #assign answerAuthorNetSolutions = li... [in template "analytics-container" at line 83, column 5] ----