diff options
author | Joas Schilling <coding@schilljs.com> | 2024-05-16 11:37:02 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2024-05-16 11:37:02 +0200 |
commit | cd5cce036edd0a93529e5ab6d0b4c4f22a77229d (patch) | |
tree | ef63218179dd41b6b9efc011fd5beadd20c6f989 | |
parent | f40ece0acd19c7da2303780ebe4fea4fff742b52 (diff) |
fix(recording): Stop broken recording backendbugfix/noid/harden-against-broken-recording-backend
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | lib/Controller/PageController.php | 8 | ||||
-rw-r--r-- | lib/Controller/RecordingController.php | 17 |
2 files changed, 25 insertions, 0 deletions
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index c91c28413..db8a035a2 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -280,6 +280,7 @@ class PageController extends Controller { #[NoCSRFRequired] #[PublicPage] #[BruteForceProtection(action: 'talkRoomToken')] + #[BruteForceProtection(action: 'talkRecordingStatus')] public function recording(string $token): Response { try { $room = $this->manager->getRoomByToken($token); @@ -291,6 +292,13 @@ class PageController extends Controller { return $response; } + if ($room->getCallRecording() === Room::RECORDING_NONE) { + $response = new NotFoundResponse(); + $this->logger->debug('Recording "' . ($this->userId ?? 'ANONYMOUS') . '" throttled for accessing "' . $token . '"', ['app' => 'spreed-bfp']); + $response->throttle(['token' => $token, 'action' => 'talkRecordingStatus']); + return $response; + } + if (class_exists(LoadViewer::class)) { $this->eventDispatcher->dispatchTyped(new LoadViewer()); } diff --git a/lib/Controller/RecordingController.php b/lib/Controller/RecordingController.php index 91c84d520..334d1f276 100644 --- a/lib/Controller/RecordingController.php +++ b/lib/Controller/RecordingController.php @@ -161,6 +161,7 @@ class RecordingController extends AEnvironmentAwareController { #[OpenAPI(scope: 'backend-recording')] #[PublicPage] #[BruteForceProtection(action: 'talkRecordingSecret')] + #[BruteForceProtection(action: 'talkRecordingStatus')] public function backend(): DataResponse { $json = $this->getInputStream(); if (!$this->validateBackendRequest($json)) { @@ -218,6 +219,22 @@ class RecordingController extends AEnvironmentAwareController { ], Http::STATUS_NOT_FOUND); } + if ($room->getCallRecording() === Room::RECORDING_NONE) { + $this->logger->error('Recording backend tried to start recording in room {token}, but it was not requested by a moderator.', [ + 'token' => $token, + 'app' => 'spreed-recording', + ]); + $response = new DataResponse([ + 'type' => 'error', + 'error' => [ + 'code' => 'no_such_room', + 'message' => 'Room not found.', + ], + ], Http::STATUS_NOT_FOUND); + $response->throttle(['action' => 'talkRecordingStatus']); + return $response; + } + try { $participant = $this->participantService->getParticipantByActor($room, $actor['type'], $actor['id']); } catch (ParticipantNotFoundException $e) { |