api: update for review changes

DE-IBH · Jun 16, 2024 · cfbc3a8 · cfbc3a8
1 parent d6160ed
commit cfbc3a8
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,11 @@
 # ChangeLog
 
-## 3.2.4 - 2024-06-15
+## 3.2.4 - 2024-06-16
 
 Fixes:
-- fix bug in getRecordings endpoint
+- fix **security** bug in getRecordings endpoint
+
+This release fixes a security bug that allowed authenticated api requests to manage recordings of any tenants and their secrets.
 
 ## 3.2.3 - 2024-05-28
 
@@ -21,7 +23,7 @@ Fixes:
 
 Changes:
 - adjust to BBB 2.7.8 API changes 
-  - forbid POST request for `join` endpoint ()
+  - forbid POST request for `join` endpoint
   - adjustments for POST headers are already handled
 - meeting name check:
   - add check for meeting name length for faster response without sending a request to backend systems

diff --git a/b3lb/rest/classes/api.py b/b3lb/rest/classes/api.py
@@ -346,10 +346,11 @@ def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> Que
             except ValueError:
                 return Record.objects.none()  # return empty QuerySet for BadRequest
 
-        if meeting_id and 2 <= len(self.meeting_id) <= cst.MEETING_ID_LENGTH:
-            query &= Q(record_set__meta_meeting_id=meeting_id)
-        elif meeting_id:
-            return Record.objects.none()  # return empty QuerySet for BadRequest
+        if meeting_id:
+            if 2 <= len(meeting_id) <= cst.MEETING_ID_LENGTH:
+                query &= Q(record_set__meta_meeting_id=meeting_id)
+            else:
+                return Record.objects.none()  # return empty QuerySet for BadRequest
 
         if self.state == "published":
             query &= Q(published=True)