Allow ajax requests on public webdav interface #17601
Conversation
|
@LukasReschke @oparoz what do you think ? |
|
I think it feels strange if core and apps have to use an endpoint located in files_sharing to access public files since it's a completely different URL from the standard one, but at the same times, it makes sense since there is no public page without sharing enabled. Isn't there a lot of code duplication between the private and public endpoints? That would be my only concern. Apart from that this fix should cover most situations, if it works through proxies and firewalls. 👍 |
|
It would indeed be nice to have the same endpoints for private and public. There was an old idea of creating virtual users for public links but I haven't heard of it since a long time. |
|
I think this can't happen as long as there isn't a token decoder in core (as opposed to in an app). |
PVince81
force-pushed
the
publicwebdav-allowajaxwhendisabled
branch
from
f79d88b to
8e15043
Compare
|
A new inspection was created. |
|
Rebased |
|
We need one more vote: @DeepDiver1975 @Xenopathic @nickvergessen |
There was a problem hiding this comment.
I guess it should have some kind of "same origin" check?
There was a problem hiding this comment.
Usually I think we can't completely block remote access to existing public shares since people can already access them in the web UI, this is only giving them another view. And this also only applies for cases where people mounted the public shares directly but then the admin decided to disable federation afterwards.
@LukasReschke what do you think ?
Whenever outgoing shares are disabled, still allow ajax requests to make it possible to use the Webdav interface in the public link page. Please note that disabling outgoing shares isn't strong anyway as someone could abuse the ajax endpoints to access files anyway. To properly disable remote sharing, public link sharing must be disabled too.
PVince81
force-pushed
the
publicwebdav-allowajaxwhendisabled
branch
from
8e15043 to
c8a6fea
Compare
@PVince81 Do we want to ship this already with 8.2 and then move the files UI to WebDAV in 9.0 but be able to use this on other (federated cloud sharing) 8.2 instances already properly? cc @nickvergessen @LukasReschke Review please :) |
|
@MorrisJobke if we only care about files UI with Webdav, 9.0 is fine. |
|
👍 |
PVince81
added
4 - To release
3 - To Review
and removed
3 - To Review
4 - To release
labels
|
Dammit, I set "to release" too early. Still missing a second thumbs up. |
|
|
I'm also fine with this 👍 |
…abled Allow ajax requests on public webdav interface
Whenever outgoing shares are disabled, still allow ajax requests to make
it possible to use the Webdav interface in the public link page.
Please note that disabling outgoing shares isn't strong anyway as
someone could abuse the ajax endpoints to access files anyway. To
properly disable remote sharing, public link sharing must be disabled
too.
@oparoz that would also fix the text preview, was it still using Webdav ?
This will be required when the files UI uses Webdav.
Please review @LukasReschke @icewind1991 @MorrisJobke @schiesbn @th3fallen