Allow public page access to apps with group restrictions on #5309
Labels
1. to develop
Accepted and waiting to be taken care of
enhancement
feature: apps management
needs review
Needs review to determine if still applicable
security
Comments
|
Did you find a solution ? I'm looking for a way to allow public pages to my apps (PhoneTrack and GpxPod) when they are group restrictions... |
|
There is a duplicate of this issue : #6962 |
julien-nc
pushed a commit
to julien-nc/server
that referenced
this issue
Feb 28, 2018
…xception for app public pages
julien-nc
pushed a commit
to julien-nc/server
that referenced
this issue
Feb 28, 2018
…xception for app public pages Signed-off-by: Julien Veyssier <[email protected]>
julien-nc
pushed a commit
to julien-nc/server
that referenced
this issue
Feb 28, 2018
…loud#6962, refs nextcloud#5309 Signed-off-by: Julien Veyssier <[email protected]>
julien-nc
pushed a commit
to julien-nc/server
that referenced
this issue
Feb 28, 2018
…loud#6962, refs nextcloud#5309 It allows non-logged user to access public pages of applications restricted to a group Signed-off-by: Julien Veyssier <[email protected]>
|
#8593 partially fixes the problem : Routing system is still redirecting users who are not in any authorized group when they try to access to public pages of restricted apps. I'll try to find where to fix that. |
ghost
removed
the
|
I suppose this issue is still valid? If not, please close this issue! |
joshtrichards
added
the
needs review
|
this issue is still valid |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, when group restrictions are on, it is not possible to have a controller method declared as public page because the security middleware checks if the app is enabled for the user unconditionally.
See: https://github.com/nextcloud/server/blob/master/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php#L188
Although, when group restrictions are disabled, then \OC_App::isEnabled($this->appName) returns true making it possible to access a public controller method.
However, an app might need to make a method public even when group restrictions are on. My use case is nextcloud/richdocuments where the document editing service requires to download the document from nextcloud to be able to edit it. Since it has no user context, it downloads the file (and does some other stuff too) via a public controller method, which fails when group restrictions are on.
I think we may need to introduce a new annotation here and then guard the security middleware method there with it.
The text was updated successfully, but these errors were encountered: