From abeb14087466943317ecdf910d742ab89fae0b94 Mon Sep 17 00:00:00 2001 From: Paul Trudel Date: Tue, 7 May 2024 20:34:20 +0000 Subject: [PATCH] Restrict supported HTTP method types on endpoints --- .../org/bigbluebutton/web/UrlMappings.groovy | 40 +++++++++++++++++++ .../web/controllers/ApiController.groovy | 3 +- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/UrlMappings.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/UrlMappings.groovy index 2a6aab198c..ad8c713978 100755 --- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/UrlMappings.groovy +++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/UrlMappings.groovy @@ -63,10 +63,26 @@ class UrlMappings { action = [GET: 'downloadFile'] } + "/bigbluebutton/api/create"(controller: "api") { + action = [GET: 'create', POST: 'create'] + } + "/bigbluebutton/api/join"(controller: "api") { action = [GET: 'join'] } + "/bigbluebutton/api/isMeetingRunning"(controller: "api") { + action = [GET: 'isMeetingRunning', POST: 'isMeetingRunning'] + } + + "/bigbluebutton/api/end"(controller: "api") { + action = [GET: 'end', POST: 'end'] + } + + "/bigbluebutton/api/getMeetingInfo"(controller: "api") { + action = [GET: 'getMeetingInfo', POST: 'getMeetingInfo'] + } + "/bigbluebutton/api/getMeetings"(controller: "api") { action = [GET: 'getMeetingsHandler', POST: 'getMeetingsHandler'] } @@ -75,6 +91,30 @@ class UrlMappings { action = [GET: 'getSessionsHandler', POST: 'getSessionsHandler'] } + "/bigbluebutton/api/enter"(controller: "api") { + action = [GET: 'enter', POST: 'enter'] + } + + "/bigbluebutton/api/stuns"(controller: "api") { + action = [GET: 'stuns', POST: 'stuns'] + } + + "/bigbluebutton/api/signOut"(controller: "api") { + action = [GET: 'signOut', POST: 'signOut'] + } + + "/bigbluebutton/api/insertDocument"(controller: "api") { + action = [GET: 'insertDocument', POST: 'insertDocument'] + } + + "/bigbluebutton/api/getJoinUrl"(controller: "api") { + action = [GET: 'getJoinUrl', POST: 'getJoinUrl'] + } + + "/bigbluebutton/api/learningDashboard"(controller: "api") { + action = [GET: 'learningDashboard', POST: 'learningDashboard'] + } + "/bigbluebutton/api/getRecordings"(controller: "recording") { action = [GET: 'getRecordingsHandler', POST: 'getRecordingsHandler'] } diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy index 42af6e3e5e..2d4a665e53 100755 --- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy +++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy @@ -643,7 +643,8 @@ class ApiController { return } - Meeting meeting = ServiceUtils.findMeetingFromMeetingID(params.meetingID); + String meetingId = params.list("meetingID")[0] + Meeting meeting = ServiceUtils.findMeetingFromMeetingID(meetingId); withFormat { xml {