yourcelf / redmine_etherpad

Plugin for embedding etherpads in redmine wikis.
14 stars 10 forks source link

Access rights #2

Open balexis opened 12 years ago

balexis commented 12 years ago

Hi, Any thoughts on how to harmonize Redmine access rights to the pads? Say for example that I have a Redmine project Foo that is restricted to only a few users. How can I create a pad on my own server and allow access to this pad only to authorized Redmine users? Since an iframe is directly injected to the Redmine HTML, I see no way to restrict access to the Etherpad server.

Maybe the use of random pad names could do it?

Has anyone given a thought about this issue in general?

yourcelf commented 12 years ago

I've thought about it quite a bit... but know of no solution right now other than random pad names.

Etherpad lite doesn't have any authentication mechanism I'm aware of (yet -- it looks like something in the source code that may be possible eventually: https://github.com/Pita/etherpad-lite/blob/master/src/node/db/SecurityManager.js ).

To solve this problem in the context of Django applications, I wrote an authenticating proxy that can be run in front of the Etherpad Lite instance on the server, allowing a Django app to control access: https://github.com/yourcelf/django-authproxy. It could be possible for one to write a similar proxy for ruby/rails, and to use the authentication stack that Redmine does. The downside of this approach is that the server setup and installation become substantially more complicated.

I'd love to hear any other thoughts if someone has a good solution for this.

yourcelf commented 12 years ago

Hmmm, this looks potentially usable -- hadn't seen it before: https://github.com/Pita/etherpad-lite/wiki/HTTP-API

Looks as though the HTTP API could be used to create and restrict access for particular pads. It looks like it might only work if the pad doesn't exist before it's created by the API, though, and would definitely require the embedder to have full access to the etherpad lite installation in order to get the API Key from it.

balexis commented 12 years ago

Hi, thanks for replying. Indeed it looks like the HTTP API provides the low-level functionnalities to perform a neat integration. There is quite a lot of custom work to be done in Redmine to integrate this though, and I'm afraid that future redmine updates might break the custom patches to have this integrated.

Personnally I'd love to see Redmine add native pads and let the admin choose wether to include one or not on a per-project basis. Hey, one can dream? :)

Alexis

On Wed, Nov 14, 2012 at 9:23 AM, yourcelf notifications@github.com wrote:

Hmmm, this looks potentially usable -- hadn't seen it before: https://github.com/Pita/etherpad-lite/wiki/HTTP-API

Looks as though the HTTP API could be used to create and restrict access for particular pads. It looks like it might only work if the pad doesn't exist before it's created by the API, though, and would definitely require the embedder to have full access to the etherpad lite installation in order to get the API Key from it.

— Reply to this email directly or view it on GitHubhttps://github.com/yourcelf/redmine_etherpad/issues/2#issuecomment-10367550.