[jitsi-dev] New moderators' rights - a bug or intentional?


#1

Hello all,

Forwarding below a report by my colleague. I would appreciate if anyone
can clarify whether this behavior is intentional or whether it is a bug.
If it is intentional, can you please point me to resources that explain
rationale for this change?

thanks

karel

···

--------------------------------------------------

I discovered some strange behaviour with the new version. It was
common that the first person to come (one who created a room) was
assigned moderator's rights. His picture was also marked with a star
symbol in the interface. This person could (in particular) kick any
other participant out of the chat.

In the newest version this functionality was changed. No more star
symbols and everyone is granted moderator's rights. Any person can
mute/kick out any other person. This is not only silly but also create
a vulnerability. If a bad guy knows the name of the room (for example,
it was sent by an open channel - by email with no encryption) he can
join the chat and immediately kick other people from there (and spoil
the party). There's nothing you can do in this situation if only you
don't have a real-time secure communication channel with all good guys
(but then you probably don't need Jitsi Meet).

Why I also think it's a bug: one who was kicked out of the chat isn't
redirected to (say) https://meet.jit.si (front page). Instead, he's
told that he was kicked out (pop-up window) and... is left with a chat
room interface and the same room address above. It looks like everyone
else just disappeared and he was left alone in the room. Pretty
strange when you have two computers with the same room name with
cameras/microphones working properly but being unable to see each
other.

I tried different platforms (WIndows, Linux and Android) on different
devices with the same result: moderator's rights were granted to
everyone in the chat room.


#2

Hi,

we recently updated that on meet deployment, this is not a bug but
desired behaviour. If you are concerned about privacy and the
participants in the room, you can easily lock the room so only people
with password can join the room.

Regards
damencho

···

On Wed, Nov 2, 2016 at 4:17 AM, Karel Novotny <novotny.karel@gmail.com> wrote:

Hello all,

Forwarding below a report by my colleague. I would appreciate if anyone
can clarify whether this behavior is intentional or whether it is a bug.
If it is intentional, can you please point me to resources that explain
rationale for this change?

thanks

karel

--------------------------------------------------

I discovered some strange behaviour with the new version. It was
common that the first person to come (one who created a room) was
assigned moderator's rights. His picture was also marked with a star
symbol in the interface. This person could (in particular) kick any
other participant out of the chat.

In the newest version this functionality was changed. No more star
symbols and everyone is granted moderator's rights. Any person can
mute/kick out any other person. This is not only silly but also create
a vulnerability. If a bad guy knows the name of the room (for example,
it was sent by an open channel - by email with no encryption) he can
join the chat and immediately kick other people from there (and spoil
the party). There's nothing you can do in this situation if only you
don't have a real-time secure communication channel with all good guys
(but then you probably don't need Jitsi Meet).

Why I also think it's a bug: one who was kicked out of the chat isn't
redirected to (say) https://meet.jit.si (front page). Instead, he's
told that he was kicked out (pop-up window) and... is left with a chat
room interface and the same room address above. It looks like everyone
else just disappeared and he was left alone in the room. Pretty
strange when you have two computers with the same room name with
cameras/microphones working properly but being unable to see each
other.

I tried different platforms (WIndows, Linux and Android) on different
devices with the same result: moderator's rights were granted to
everyone in the chat room.

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Unfortunate. Please tell me it will work differently for systems with
authentication?

Ideally authenticated people could/should have moderator rights, but
unauthenticated shouldn't be granted moderator rights.Cheers,
Ian

···

On Wed, 2016-11-02 at 12:08 -0500, Damian Minkov wrote:

Hi,

we recently updated that on meet deployment, this is not a bug but
desired behaviour. If you are concerned about privacy and the
participants in the room, you can easily lock the room so only people
with password can join the room.

Regards
damencho

On Wed, Nov 2, 2016 at 4:17 AM, Karel Novotny <novotny.karel@gmail.co > > wrote:
>
> Hello all,
>
> Forwarding below a report by my colleague. I would appreciate if
> anyone
> can clarify whether this behavior is intentional or whether it is a
> bug.
> If it is intentional, can you please point me to resources that
> explain
> rationale for this change?
>
> thanks
>
> karel
>
> --------------------------------------------------
>
> I discovered some strange behaviour with the new version. It was
> common that the first person to come (one who created a room) was
> assigned moderator's rights. His picture was also marked with a
> star
> symbol in the interface. This person could (in particular) kick any
> other participant out of the chat.
>
> In the newest version this functionality was changed. No more star
> symbols and everyone is granted moderator's rights. Any person can
> mute/kick out any other person. This is not only silly but also
> create
> a vulnerability. If a bad guy knows the name of the room (for
> example,
> it was sent by an open channel - by email with no encryption) he
> can
> join the chat and immediately kick other people from there (and
> spoil
> the party). There's nothing you can do in this situation if only
> you
> don't have a real-time secure communication channel with all good
> guys
> (but then you probably don't need Jitsi Meet).
>
> Why I also think it's a bug: one who was kicked out of the chat
> isn't
> redirected to (say) https://meet.jit.si (front page). Instead, he's
> told that he was kicked out (pop-up window) and... is left with a
> chat
> room interface and the same room address above. It looks like
> everyone
> else just disappeared and he was left alone in the room. Pretty
> strange when you have two computers with the same room name with
> cameras/microphones working properly but being unable to see each
> other.
>
> I tried different platforms (WIndows, Linux and Android) on
> different
> devices with the same result: moderator's rights were granted to
> everyone in the chat room.
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev