Assign Password Directly to Public Link

[simonspa]

The current feature of setting a password for the project does not seem to have an effect when shared to other NC users, they can still access the project without entering the password. This makes sense to me. This leaves the password for the public link if I'm not mistaken.

You could think about simplifying the settings such, that the password is directly configured for the public link as it's done for file sharing:

Or am I missing out on a feature here?

[julien-nc]

Well this is a bit messy... Here is the reason. First there only was one public link (password protected). Let's call it "type 1" :wink:. This link was the conceptual equivalent of the IHateMoney access in which there are no "users" and everybody uses the same password. This was initially how MoneyBuster was accessing Cospend.

Then I added the ability to generate as many public links you want (with different permissions). Let's call this type 2 :grin:. Those public links are not password protected.

So maybe the interface needs to be clearer about those 2 link types.

About adding a password to a type 2 link... As there's a token in the link, it's almost like a password which is included in the link. If you don't give the link, you don't give the token. I mean, I don't see the point of adding a password protection to those type 2 links.

[simonspa]

Okay, I understand that now - but isn't "type 1" just a "type 2 with password and write permissions"?

I'm just trying to think about a possibility to simplify and streamline this a bit. It's a bit the same problem that was talked about at the last NC Conf, that "sharing needs to be usable by everyone".

[julien-nc]

Yeah I agree. Problem is I can't remove the type 1 which is used by MoneyBuster and type 2 is much better.

What could be done is to inform that type 1 is "old and just there to let old MoneyBuster connect" and push type 2 as the "good" way to share.

You make me remember the "link comment" is great when sharing files, I'll implement it in Cospend too.

[simonspa]

The way MoneyBuster should be connected is to use the QR-code, right? So that's the only place where the type-1 link is really required. How about generating an app token automatically for the MB link, without involving the user, and only exposing the type-2 links via the interface?

[julien-nc]

Hello there!

Share links can now be protected with a password. This change had a big impact on how the API can be accessed.

• Before: the (real) project id was given in each API call, the link token was passed as the password
• Now: the token is passed as the project id and the link password is passed as the password

These API changes allow MoneyBuster to connect to a project with a share link! I didn't make any test for now but it should work. Once I have made some test, I'll let users create a QRCode for each share link.

There is still a little downside to this change, when putting parameters in the path (not as a GET, POST... param), NC routing considers the parameter as missing if it's empty. For example, this route

['name' => 'page#apiGetProjectInfo', 'url' => '/api/projects/{projectid}/{password}', 'verb' => 'GET'],

produces and error if it's accessed with https://blabla.org/index.php/apps/cospend/api/projects/myproj/ because it considers there is no password. The web UI always puts a password but it's a dirty trick. I'll think about how to solve that without making too many changes to the API.

So now, if you visit a share link with your browser, either:

• it's password protected and you get to a page where you have to enter a password
• it's not password protected and you directly get to the project page

Share link password management looks like in the Files app.

It would be awesome if you could give it a try. It's available in the latest nightly: v1.3.16-1-nightly.

[julien-nc]

Accessing a Cospend project via a share link token (and optionally a password) works like a charm. Let's slowly get rid of the public access (type 1).

Recent changes:

• One can generate a QRCode for a share link (including the password). This QRCode can be scanned in MB (or even in a scanner app and then opened with MB)
• The bottom section of the Sharing sidebar tab (with all the public access QRCode stuff) has been removed.
• The public access section is described as deprecated

Everything is included in v1.3.16-3-nightly.

I think it's better to keep the ability to set the public access password and copy the related link for now.

[mrclschstr]

It seems that you cannot get the project name from the backend with those type 2 share links any more (see: https://github.com/mayflower/PayForMe/issues/49).

Is there a possibility to find a common solution?

[julien-nc]

There is a confusion between project ID and project name, isn't it? Yes, clients can confuse the project ID with the share token because it's in the same place in the share links. But that's not the project name.

There is an API endpoint to get the project name (and all project information). It works whether you're using a share link or an old password-protected access. GET https://myserver.com/index.php/apps/cospend/api/projects/MY_PROJECT_ID/PASSWORD or GET https://myserver.com/index.php/apps/cospend/api/projects/SHARE_TOKEN/PASSWORD (where the password can be anything if there is no password set for this shared access.