bargate-project / bargate

an open source web interface to SMB file servers: dead project
http://bargate.io
17 stars 10 forks source link

Make shareable links for anonymous file access via specific url #104

Open MurzNN opened 6 years ago

MurzNN commented 6 years ago

At now all users must authorize to access files. Will be good to have feature for generate shareable link for anonymous access to file, something like https://example.com/share/browse/path/to/file.jpg?access_token=asdas38sjdasidhsaidyasdas

Is this possible via current infrastructure?

divad commented 6 years ago

It would be possible if the underlying share (smb share) allowed anonymous (guest) access. If not then bargate would have to authenticate. A sharing token approach would be excellent of course, but it would require bargate storing/keeping the user's password in a database and then using that to authenticate each time. Although this is possible, its not at all a good idea security wise.

So are you asking for a sharing link system for access to a file within an smb share which requires authentication, or for a sharing link system for access to a file within an smb share which allows guest/anon access?

MurzNN commented 6 years ago

I ask sharing link system for access to a file within an smb share which requires authentication, so bargate must storing/keeping the user's password (maybe only hash or access token?) in his own database.

Most of cloud based file storages provide this functional for genereate anonymous share link to specific file, without giving full anonymous access to whole folder&share. So users of our company wants same functional in web access to samba shares, for easy show some file to clients.

divad commented 6 years ago

I understand :)

I'm very reluctant to add this sort of feature though because as we've discussed it requires bargate to store a user's password. This is not very secure, and would break if the user changed their password. Sadly, the only other SMB authentication method is kerberos, and that totally precludes working in this manner.

The only other approach bargate could use, and something I did consider for a long time, is copying the file (when a user shares it) to a 'shared' space somewhere on the server bargate is installed on (which does not require authentication). However, I doubt this would work for you as once copied, changes on the original file server would of course not be reflected in the shared file.

Basically there isn't an easy workaround for this. The only thing I can think of is to have a bit of software running on the file server itself which does have permission to access the files, but thats a big undertaking, and at that point there are other better solutions (probably).

MurzNN commented 6 years ago

Maybe good way can be via using some fixed user for sharing? So pre-define in bargate config some user credentials (username shareuser and plaintext password), and provide access to files for shared links via this user? This will not need to store password in database (we write it only in config file) and can be easily updated on change.

divad commented 6 years ago

OOI, What is the file server underneath, the SMB server? Samba on Linux? Windows? NetApp?

MurzNN commented 6 years ago

Our company use Samba on Linux, but if bargate use SMB protocol for access to files - there are no difference which type of SMB server is at backend.

MurzNN commented 6 years ago

There can be a workaround via creating custom script, that provide direct access to files without credentials via specific url, and some plugin for bargate to generate those links. But much better if this will work in bargate out-of-the-box.