search

szabodanika / microbin

A secure, configurable file-sharing and URL shortening web app written in Rust.
https://microbin.eu
BSD 3-Clause "New" or "Revised" License
2.71k stars 172 forks source link

Anyone can edit/delete pastes even though MICROBIN_PASSWORD is set and EDITABLE is false #269

Open fcpwiz opened 3 months ago

fcpwiz commented 3 months ago

Title says it all! Only people with the password can submit pastes, but anyone with the URL can edit and delete it without needing a password. What am I missing here?

skyrocknroll commented 1 month ago

Facing the same issue

Danie10 commented 2 weeks ago

I tested the public instance with a read-only code snippet which I set a password for. Although I see an edit button, if I don't enter a password, it does not save any changes. Same happened when I tried to remove the code snippet without a password. So it looked to me like it is working as intended?

That said, I tried hosting it myself and could edit, but not delete (does not accept password) - see another issue open for that. Wish I could see the config for the public test instance as it seemed to work OK.

If it helps, these are the relevant envs I finally found to work (some variable descriptions make little sense):

export MICROBIN_EDITABLE=true
export MICROBIN_READONLY=false
export MICROBIN_ENABLE_READONLY=true
export MICROBIN_NO_FILE_UPLOAD=false
export MICROBIN_UPLOADER_PASSWORD=ISetOneHere