Private apps and share with users

sandstorm-io / sandstorm

Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.

https://sandstorm.io

Other

6.72k stars 705 forks source link

Private apps and share with users #285

Closed casdr closed 9 years ago

casdr commented 9 years ago

Hi,

I'm really enjoying Sandstorm, but here are 2 things I'm missing:

I found that every grain is publicly reachable (as anonymous user), I would like an option to disable this.
It would be really handful to add an option that you can choose users to share an app with and that that app will also be in the list for that user.

Thanks!

ocdtrekkie commented 9 years ago

Definitely both things I am waiting for as well. They're big items on my personal Sandstorm wishlist. (I actually made one.)

Right now, sharing the URL is the only way to share a link, because the "Powerbox" feature isn't implemented yet. While an anonymous user can access the grains with a link, it's generally quite hard for someone to get that link unless you intentionally share it with someone. That functionality should be overhauled a bit I assume when the Powerbox is developed, so you can set whether or not guests can access it with a link or what-have-you.

paulproteus commented 9 years ago

Hi @itscassa and @ocdtrekkie --

Thanks for filing this bug! We are working on it, and I expect we'll have more to say in a month or so. One thing I want to do is publish more of a roadmap so people know what to expect.

As a clarification (as I understand it), the Powerbox is more about sharing a resource with an app, whereas app sharing is about permissions along the lines of what @itscassa said in the first comment here.

I think that some grains are available only if you are logged-in as a user that should have access -- I think WordPress is a good example of this -- but in general, the lack of consistency in sharing is a real pain, and is something we want to expose with great clarity and allow people to control.

kentonv commented 9 years ago

To be clear, grains are not "publicly reachable", because the URL is unguessable. The only way someone could get it is if you sent it to them. But, yes, we are working on a more sophisticated sharing model where you will be able to specify that only a specific set of authenticated identities are able to see a grain.

kentonv commented 9 years ago

As of build 0.74, thanks to @dwrensha, sharing is now accomplished by explicitly clicking the "share" button. On new grains (and old grains that you upgrade to the new model), the grain URL itself will no longer be accessible to other users unless you first create a sharing link and send it to them.

In the same change, we've added a "Shared with me" tab to the grain list, so now you can easily get back to the grains people sent you in the past (only applies if the new sharing mechanism was used).

Therefore, I declare this issue fixed! :) But we still have a lot more work to do on sharing.