Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Un-Share a Private Link #1994

Open
ElCapitannn opened this issue Jun 5, 2023 · 5 comments
Open

Un-Share a Private Link #1994

ElCapitannn opened this issue Jun 5, 2023 · 5 comments
Labels
documentation feature security
Milestone
backlog to the fu...

Comments

@ElCapitannn
Copy link

Shaarli version 0.12.1

How does one un-share a private link?

How does one view all private links which have been shared?

thanks
@nodiscc nodiscc added the support installation and configuration issues label Jun 6, 2023
@nodiscc
Copy link
Member

nodiscc commented Jun 6, 2023

How does one un-share a private link?

Is deleting the link not enough? Or do you mean something else?

How does one view all private links which have been shared?

https://shaarli.readthedocs.io/en/master/Usage/#publicprivate-shaares (you must, of course, be logged in)

image

@ElCapitannn
Copy link
Author

Is deleting the link not enough? Or do you mean something else?

I am referring to the "Share a private link" button underneath a particular shaare. It generates a link with ?key=**************

I believe the shaare remains private, but anyone with this link can see the shaare. My questions are in reference to this functionality.

@nodiscc
Copy link
Member

nodiscc commented Jun 8, 2023
edited

"Share a private link" button underneath a particular shaare. It generates a link with ?key=**************

Do you mean token=******? Like https://demo.shaarli.org/admin/shaare/private/LLgT1A?token=4a07694f7206f20cf02018105f97d7b362c39f86 ?

I believe the shaare remains private, but anyone with this link can see the shaare

I had never used this feature before, but on the demo instance (master) and on my own instance (v0.12.2), going to such a URL while logged out redirects to the login form, so I don't think "anyone with this link can see the shaare". Does it work differently for you?

@ElCapitannn
Copy link
Author

ElCapitannn commented Jun 12, 2023
edited

Click the "Share a private link" button and, in my case, this takes me to a new URL. Copy what is in the address bar and you should then have a URL ending with ?key=******

When I go to this URL, I am able to see the shaare without being logged in.

@nodiscc
Copy link
Member

nodiscc commented Jun 13, 2023

Ok, now I can reproduce this 👍

This feature was introduced in #1597 in 2020, I don't think there is a way to "unshare" a private shaare, as the private key gets generated/written to the datastore when you first click the /admin/shaare/private/... link.

  • this should be made clearer in the docs and/or tooltip.

The only workarounds I can see for now are

  • delete/recreate the shaare (this can probably be automated using the API if you have a large number of shared private links).
  • edit the datastore manually (risky) to remove the private key

Tagging this as a feature request as I think there should be a way to:

  • Clearly show which private shaares are shared (have a private key attached to their datastore entry)
  • Maybe list such shaares through the API
  • Unshare (clear the private key) a private shaare from the web interface

@nodiscc nodiscc added security feature and removed support installation and configuration issues labels Jun 13, 2023
@nodiscc nodiscc added this to the backlog to the future milestone Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation feature security
Projects
None yet
Milestone
backlog to the future
Development

No branches or pull requests
2 participants
@nodiscc @ElCapitannn