abort infinite upload for guest users without storage #4138
Comments
nickvergessen
added
1. to develop
feature: upload & shares & voice 📤🎙️
|
ok, I was confused about the term "guest". so this is not a conversation accessed by public link but as user from the guest app |
|
I just tried it locally and can confirm the error. So what we could do is have an initial Webdav call to the configured attachment folder (see my note in #3343 (comment) about allowing to configure it, will default to "/" for now), and if that one is writable (and has space left, more than 0), then enable all the upload operations. |
|
with Webdav I was mostly thinking about frontend only. maybe there's also a way to bundle that information through any of the other calls that might come from the Talk API Tasks:
|
nickvergessen
modified the milestones:
v10.0.4,
💛 Next Patch (20),
💚 Next Major (21),
11.0.0-alpha.2,
💚 Next Alpha (21)
|
I thought about a simpler approach: detect the guest user in the capabilities manager and return "attachments.allowed = false" in case of a guest user. But then it came to my mind that while a guest app user cannot upload into their "/Talk" folder, they could always reconfigure the attachment folder to point at a writable received share. A friendly user could share some of their personal space for them to be able to post attachments. Due to the latter condition, the capabilities approach is not suitable. So as stated before, will need it to PROPFIND the attachment folder to check for available quota. |
|
While locally testing the capabilities approach I discovered that the frontend isn't reading it, so I fixed it here #5033 |
|
So it seems the webdav library we use is not flexible enough:
The only solution (besides fixing it upstream) would be to build the XML query locally in Talk just to query the quota. Maybe for now I just query for the root and add a TODO for later... |
Just check the quota on php side in TInitialState? |
I thought of this as well but then it won't update if the user changes the attachments folder to one with a bigger quota. Would require a page refresh. If we consider this a corner case anyway I guess that will do for now. |
Return the quota on the API that changes the folder and update accordingly? |
Returning the quota on a setter. Didn't feel right. |
|
it seems selecting a received shared for attachments is forbidden: https://github.com/nextcloud/spreed/blob/master/lib/Controller/SettingsController.php#L106 So the use case of "a generous other user giving some storage for guests" is not fulfillable. I'm not sure if we should allow that or not. At least it would open up the possibility for guest users to post attachments in chats. |
|
using shared folders for attachments (or group folders) would likely lead to collisions/duplications if all users are using the same... so probably wise to prevent it I guess |
|
I hacked the code to allow me to upload attachments to shared folders but some other parts of the sharing code disallows this for guests "Access to this resource is forbidden for guests.". Smells like a can of worms. Abandoning this idea for now. I'll push what I have for the quota check, which will fulfil the requirement of "removing the upload button in case the quota/free space is 0" |
|
PR here: #5036 |
Steps to reproduce
Expected behaviour
The picture should be shown to everybody or alternatively the upload should be cancelled with an error message. Or, even better, the attachment icon should be hidden if no write permission is granted to the guest.
Actual behaviour
An error message is displayed (briefly), but the uploaded picture is also shown in the chat. To the guest it is not obvious that the shared picture is only visible to her/him and why it disappears with a refresh of the page.
Talk app
Talk app version: (see apps admin page:
/index.php/settings/apps) I'm only a guest, but should be the latest and greatest.The text was updated successfully, but these errors were encountered: