App link grants moderator rights to anyone

[normen]

Hi,

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior? Given that there is no JWT token in the URL it seems that this lowers the security for moderator connections? An additional issue is that anyone knowing about this can "upgrade" their internal User link to a Moderator link..

The internal links from Jitsi yield user rights, which is what IMO the links from the Nextcloud-Jitsi plugin should do as well..?

NextCloud Link (No Token!)
https://<my-cloud.com>/apps/jitsi/rooms/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RoomName
-> Moderator rights (No NextCloud login needed!)

Jitsi Link (No Token)
https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-> User rights

Jitsi Link + Token
https://<my-jitsi.com>/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX?jwt=XXXXXXXXXXXXXX..
-> Moderator rights

Thanks for this plugin & the attention!

Edit: Note that I have "guest" access enabled in Jitsi via JWT_ALLOW_EMPTY=1 and ENABLE_GUESTS=1 to allow user level access.

Edit2: Running on NextCloud 24, PHP-FPM Docker version

[luminous706]

I'm also struggling with this, anybody can kick everyone out and take over the room, is there a way to share the meeting URL without granting moderator rights?

[normen]

You can use the URL that Jitsi itself gives you (in the meeting), that one doesn't have mod rights. But as I said, if the user knows about this they can elevate their rights by changing the URL.

[weeman1337]

it seems that the internal link to the conference grants moderator rights to users that are not even logged into NextCloud. Is this intended behavior?

Currently, this is the expected behaviour. Sharing rooms and permission management are planned for future releases. But this may still take a while.

[normen]

Thanks for the answer. In the absence of actual user management it would be nice to at least use a different uuid for the Nextcloud chat URL so that one can use the actual Jitsi URL as a user URL without the danger of somebody elevating their rights by changing the URL prefix.

[ramack]

Do you have any plans for a release with permission management?
(even though it would be very cool, I don't want to put pressure, mainly I want to ask to decide if I want to use it in production right now or not.)