Greenlight: Current Greenlight options allow unauthenticated users to host their own meetings

Created on 29 Mar 2020  路  5Comments  路  Source: bigbluebutton/greenlight

The Room Setting - "Allow any user to start this meeting" is a useful feature for allowing early joiners to automatically start the meeting.

But if you enable it and have Site Setting - "Require Authentication for Rooms" disabled it means any unauthenticated user can start a meeting of their own just by knowing the meeting URL.

So if you ever invite a unauthenticated user to a meeting where the site+meeting have been configured this way then you have left it open for them to start up their own meetings, on the same URL, thereafter, eating into whatever BBB resources (cpu & disk space for recordings, etc.) you have.

Whilst this may what you want on something like demo.bigbluebutton.org - where you are demonstrating BBB features, I doubt other BBB sites would want BBB+Greenlight to work this way.

I think you need to change "Allow any user to start this meeting" to "Allow authenticated users to start this meeting" on Room Settings - and don't permit unauthenticated users to start a meeting.

feature request

Most helpful comment

The issue is it can be perceived as security risk or a feature, depending on your use case. Some users want anyone to start the room but don't want everyone to create accounts. In your case it's understandable but in others it's not. I think the correct solution here would be a dropdown with 3 options false, only authenticated, true or something along those lines.

I'm not sure when we'll get around to getting that done as the current situation means getting development work done isn't easy.

If you'd like to hard code it to only allow authenticated users to start the meeting, its a pretty easy change
https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/concerns/joiner.rb#L53
At the end of that line, you can replace room_settings["anyoneCanStart"] with (current_user && room_settings["anyoneCanStart"])

I'll also reopen this and tag it as a feature request so we can keep track for the future

All 5 comments

I agree

This is technically expected behaviour. The issue here is trying to avoid an insane number of different configuration options, such that setting up your room settings takes forever.

I think its kind of implied if you allow unauthenticated users to join a room and you also allow any user to start a meeting that this would happen. I know of some other users that use Greenlight in this way, so changing it is not currently an option.

If you feel strongly about this, your more than welcome to make the code changes to your own code, I'll be more than happy to point you to the places you need to make the changes

Hi - I have limited time available to investigate this further at the moment. But yes please do add pointers to this Jira on where the changes would need to be made. Even if I cannot tackle this immediately someone else may want to.

I accept you don't want to offer insane number of different configuration options, but personally I think this is a security issue.

It leaves a BBB site open to abuse by anyone who knows the Room URL, not just those unauthenticated users who were originally invited. So anyone can use up the limited resources of a BBB site (cpu and storage) by holding their own meetings.

On the site I manage I have now enabled "Require Authentication for Rooms" for this reason.

The issue is it can be perceived as security risk or a feature, depending on your use case. Some users want anyone to start the room but don't want everyone to create accounts. In your case it's understandable but in others it's not. I think the correct solution here would be a dropdown with 3 options false, only authenticated, true or something along those lines.

I'm not sure when we'll get around to getting that done as the current situation means getting development work done isn't easy.

If you'd like to hard code it to only allow authenticated users to start the meeting, its a pretty easy change
https://github.com/bigbluebutton/greenlight/blob/master/app/controllers/concerns/joiner.rb#L53
At the end of that line, you can replace room_settings["anyoneCanStart"] with (current_user && room_settings["anyoneCanStart"])

I'll also reopen this and tag it as a feature request so we can keep track for the future

Thank you for the code pointer, and for reopening this as a feature request.

I'm happy with my current setup with "Require Authentication for Rooms" enabled. I'm using an uncustomised Greenlight container at present, but I'll investigate generating a custom one, with your mod, when time permits.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrkeksi picture mrkeksi  路  5Comments

Sea444 picture Sea444  路  4Comments

bixmatech picture bixmatech  路  3Comments

svoeth picture svoeth  路  5Comments

saihaj picture saihaj  路  3Comments