[asterisk-dev] [Code Review] 3969: Manager: FullyBooted events are sent to AMI users that log in even if they don't have system level read permission.

Matt Jordan reviewboard at asterisk.org
Tue Sep 2 17:57:27 CDT 2014 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/3969/#review13214
-----------------------------------------------------------



/branches/1.8/main/manager.c
<https://reviewboard.asterisk.org/r/3969/#comment23700>

    Close. You should actually use both. See the equivalent code in process_events:
    
    			    (s->session->readperm & eqe->category) == eqe->category &&
    			    (s->session->send_events & eqe->category) == eqe->category)
    
    The send_events filter are those permissions that have been dynamically modified via the "Events" header during authentication. If a user's session starts out with SYSTEM - but then they authenticate and deliberately remove it - we don't want to send the FullyBooted event to them.
    
    


- Matt Jordan


On Sept. 2, 2014, 5:36 p.m., Jonathan Rose wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/3969/
> -----------------------------------------------------------
> 
> (Updated Sept. 2, 2014, 5:36 p.m.)
> 
> 
> Review request for Asterisk Developers and Matt Jordan.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Apparently instead of using the readperm mask, it was using the send_events mask... which is somewhat weird.  It's initialized to -1 (which will return true when used with bitwise and on EVENT_FLAG_SYSTEM) and this is where the odd behavior came from.
> 
> I think this was just a mistake and switching to the readperm mask appears to have fixed it.
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/main/manager.c 422543 
> 
> Diff: https://reviewboard.asterisk.org/r/3969/diff/
> 
> 
> Testing
> -------
> 
> Ran through the login process with and without the system read permission.  With it, I got the FullyBootted event. Without it, I did not.
> 
> 
> Thanks,
> 
> Jonathan Rose
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140902/ea58ea1e/attachment.html>

More information about the asterisk-dev mailing list