owncloud-archive / documents

ownCloud Documents is collaborative editing of rich-text documents.
http://owncloud.org/
137 stars 55 forks source link

Publicly shared documents have blank user avatars (401) #544

Open sndrr opened 9 years ago

sndrr commented 9 years ago

Steps to reproduce

  1. Open a document and share it with a public user
  2. Open this document in a private window as a public user
  3. You get the document, but the avatars of the users are blank. There's a 401 for getting the avatar. Even if the sharing user has set a profile picture.

    Expected behaviour

A view like this (right of screen): oc_doc_owner

This is the HTML of the orange admin avatar:

<span style="height: 60px; width: 60px; border-color: rgb(153, 91, 15); background-color: rgb(246, 174, 85); color: rgb(255, 255, 255); font-weight: normal; text-align: center; line-height: 60px; font-size: 33px;">A</span>

This works the way it should for known (registerd) oC users.

Actual behaviour

A view with blank avatars (right of screen): oc_shared This is the HTML of the guest avatar:

<span style="height: 60px; width: 60px; border-color: rgb(15, 22, 153);"></span>

It's missing background-color: rgb(246, 174, 85); color: rgb(255, 255, 255); font-weight: normal; text-align: center; line-height: 60px; font-size: 33px; in the style, and an identifier before the </span> if no profile picture is set. It gets a 401 on the avatar, see the browser log below.

Server configuration

Operating system: Debian 8 (Jessie)

Web server: Server Version: Apache/2.4.10 (Debian) Phusion_Passenger/4.0.53 OpenSSL/1.0.1k Server MPM: prefork

Database: mysql Ver 14.14 Distrib 5.5.44, for debian-linux-gnu (x86_64) using readline 6.3

PHP version: PHP 5.6.12-0+deb8u1

ownCloud version: (see ownCloud admin page) sudo -u www-data php occ status

 - installed: true
 - version: 8.1.1.3
 - versionstring: 8.1.1
 - edition:

Updated from an older ownCloud or fresh install: update from 8.0 to 8.1.1.3

List of activated apps: Only relevant app here is documents, so I included that.

 - documents: 0.10.2

Browser log

GET XHR https://owncloud.server/index.php/avatar/Guest%202/60?requesttoken=HoSGCgbyHoI4LO1tp3OQzvM8p8E32h [HTTP/1.1 401 Unauthorized 339ms]
VicDeo commented 9 years ago

Security thing ;)

sndrr commented 9 years ago

So, does that mean it will not be fixed anytime soon?

VicDeo commented 9 years ago

@sndrr not sure about soon. Looking for a way to cheat recent security changes in core is not top priority imho. Documents is not the only app I maintain.

sndrr commented 9 years ago

@VicDeo I understand. Maybe I'll look into it myself. I suppose pull requests are welcome. :)

By the way, maybe somewhat related. Public users also don't see registered users 'leave' when they close the document. They can see other public users leave, but not the registered ones. Should I create a new ticket for this?