search

nextcloud / terms_of_service

📜 Requires users to accept the terms of service before accessing data.
https://apps.nextcloud.com/apps/terms_of_service
GNU Affero General Public License v3.0
29 stars 19 forks source link

ToS on direct editing #771

Open LinneyS opened 1 year ago

LinneyS commented 1 year ago

Depending on the issue: ONLYOFFICE/onlyoffice-nextcloud#735

May need to allow /directEditing/open request

Hi @juliushaertl . Can you confirm the problem with direct editing?

nickvergessen commented 1 year ago

similar to https://github.com/nextcloud/terms_of_service/pull/765 I guess?

Is an IP list known for OnlyOffice in a similar way?

LinneyS commented 1 year ago

No ONLYOFFICE does not work by WOPI protocol Problems with saving with ToS app were not found

Needs a fix to work with direct editing

juliushaertl commented 1 year ago

@nickvergessen What is the general approach of ToS in regards to clients? Maybe we can assume that the ToS are already signed during the account setup for the desktop and mobile clients and could just allow direct editing with the specific app token?

nickvergessen commented 1 year ago

ONLYOFFICE does not work by WOPI protocol

I got that, but basically we need to whitelist the direct editing endpoint like we did the WOPI, but ONLY for requests from the OnlyOffice connection, in case that does not come with user information.

What is the general approach of ToS in regards to clients?

It does not care about the way of interaction. It adds a storage/cache wrapper that removes read, create, update and delete permissions.

Maybe we can assume that the ToS are already signed during the account setup for the desktop and mobile clients and could just allow direct editing with the specific app token?

We exclude skeleton setup, login, login flow and registration: https://github.com/nextcloud/terms_of_service/blob/b1f6a4b27096b250848d4b219ee3c856dc7ff78d/lib/Filesystem/Helper.php#L62-L83

juliushaertl commented 1 year ago

I haven't dived into debugging this but looking at the original issue it seems that on the direct editing page the request that javascript performs to the config endpoint fails.

This could be explained as the user is not logged in, so when the file is accessed terms_of_services does not see the already signed terms.

One idea for a fix (but untested) would be to set the current user session to the user id from the direct editing token in https://github.com/ONLYOFFICE/onlyoffice-nextcloud/blob/504884f16ce2b66e45a66579aa3cdf0fd0197330/controller/editorapicontroller.php#L262 before the file system is setup by getting the file.

You could try doing that through https://github.com/nextcloud/server/blob/215aef3cbdc1963be1bb6bca5218ee0a4b7f1665/lib/public/IUserSession.php#LL64