-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
warn about external storages in guests_app.adoc #1036
Conversation
Guests have access to external storages, even when the files_external app is not in the whitelist. I could not find anything to limit external storages to non-guest users. IMHO, that would be a sane default. @pako81 Maybe this is a bug and should be fixed, rather than documented? Not sure, if this warning should be here, or in the section about external storages instead.
This is happening because I remember we discussed this some time ago as we updated the whitelist for the guests app for version 0.12.1. And, if I recall correctly, the decision at that time was to leave external storages apps. I am also not a big fan of letting guests access external storages by default. Note that if we decide to change this, guests will still be able to see the external storage listed but as soon as they click on it an error will be returned: I am open for changes in the current behaviour. @phil-davis @jvillafanez what do you think? |
Someone needs to decide what the requirement is, and then sort out the effort required if a change to the current behavior is needed. For example, if a company has some external storage that is available to "all users" then probably the storage contains company-wide documents - maybe policies/procedures/forms etc. And I expect that they would not want or expect that guest users can view such things. So they would want a way to control that. Maybe they can already? Mount the external storage to a group that contains "all staff"? |
Should this PR now be continued (review/merge/beackport) or is it on-hold? For the latter, put it to draft. |
Discussed with @hodyroff. Guests should not access external storages normally available for "all" users. We apparently have two options here:
Probably option 1. would already suffice here. |
I don't think it is technically possible to provide a more meaningful error message to guests or even the |
This is going to be a technical discussion that should be held in core. |
Noting todo for documentation here right now. Needs to be sorted out in a core or enterprise ticket first. |
Followup in owncloud/core#40894 |
Guests have access to external storages, even when the files_external app is not in the whitelist.
I could not find anything to limit external storages to non-guest users. IMHO, that would be a sane default.
@pako81 Maybe this is a bug and should be fixed, rather than documented?
Not sure, if this warning should be here, or in the section about external storages instead.