enh(Sharing): backend infrastructre for read-only link shares #2211
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-project-automation
bot
moved this to 🧭 Planning evaluation (don't pick)
in 📝 Office team
blizzz
moved this from 🧭 Planning evaluation (don't pick)
to 🏗️ In progress
in 📝 Office team
blizzz
force-pushed
the
enh/noid/link-share-biz
branch
4 times, most recently
from
c331e92 to
ec7bd73
Compare
blizzz
commented
Dec 11, 2025
| #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] | ||
| #[FrontpageRoute(verb: 'GET', url: '/s/{token}')] | ||
| public function linkShare(string $token): TemplateResponse { | ||
| Util::addScript(Application::APP_ID, 'tables-main'); |
Member
Author
There was a problem hiding this comment.
@enjeck may keep this if new functionality goes into the main script, or otherwise we can change this if course and load a different one.
The share token is being provided via initialState a few lines below.
blizzz
force-pushed
the
enh/noid/link-share-biz
branch
2 times, most recently
from
d0a78bc to
63b0a70
Compare
- modifies oc_tables_share structure with two columns, token and password - adds ShareOCSController with a route to create link shares - adds a PageController front route to display the link share - adds a ApiPublicColumnsController to retrieve columns for public links. It was not added to the existing ApiColumnsController, as it requires the userId of the logged-in user and I did not want to weaken this detail. - adds an abstract controller for columns with shared functionality and make ApiColumnsController extend it. - adds a PublicRowOCSController for retrieving rows through link shares - adds a ShareToken value object - adds a ShareControlMiddleware for share token and existance validation. It comes with the AssertShareToken attribute. - extends Share entity with ShareToken and Password properties - extends ShareMapper to find a share by the share token - extends ShareService with a method to easily create link shares - extends ResponseDefinitions with TablesPublicRow and TablesPublicColumn specs. Essentially tableIDs are not exposed and also user ids in lastEditBy and createdBy are not disclosed. - extends RowService and ColumnService with methods to return such ^ formatted result arrays. - extends OpenAPI spec Signed-off-by: Arthur Schiwon <[email protected]>
Signed-off-by: Arthur Schiwon <[email protected]>
blizzz
force-pushed
the
enh/noid/link-share-biz
branch
from
63b0a70 to
9f86cfc
Compare
blizzz
added
3. to review
enjeck
reviewed
Dec 28, 2025
| $shareToken = new ShareToken($token); | ||
| $this->initialState->provideInitialState('shareToken', (string)$shareToken); | ||
|
|
||
| return new TemplateResponse(Application::APP_ID, 'main', [], TemplateResponse::RENDER_AS_GUEST); |
Contributor
There was a problem hiding this comment.
should this be RENDER_AS_GUEST? Or RENDER_AS_PUBLIC?
enjeck
reviewed
Dec 28, 2025
| $this->loadStyles(); | ||
|
|
||
| $shareToken = new ShareToken($token); | ||
| $this->initialState->provideInitialState('shareToken', (string)$shareToken); |
Contributor
There was a problem hiding this comment.
To properly load text editor so that rich text cells display properly, we need to add:
if (class_exists(LoadEditor::class)) {
$this->eventDispatcher->dispatchTyped(new LoadEditor());
}
I already did at https://github.com/nextcloud/tables/pull/2236/changes#diff-70e5309fcd3311d771b3db9c93490ea270fd5894769093765ec37edb68e5dd9b
enjeck
reviewed
Dec 28, 2025
|
|
||
| /** | ||
| * @psalm-import-type TablesPublicColumn from ResponseDefinitions | ||
| */ |
Contributor
There was a problem hiding this comment.
we don't use #[AssertShareToken] here too?
enjeck
reviewed
Dec 28, 2025
| #[PublicPage] | ||
| #[AssertShareToken] | ||
| #[ApiRoute(verb: 'GET', url: '/api/2/public/{token}/rows', requirements: ['token' => '[a-zA-Z0-9]{16}'])] | ||
| #[OpenAPI] |
Contributor
There was a problem hiding this comment.
Since these are public, I imagine they are more prone to scraping and DoS? Do we want to throttle them?
enjeck
reviewed
Dec 28, 2025
| public function formatRowsForPublicShare(array $rows): array { | ||
| return array_map(static function (Row2 $row): array { | ||
| $rowData = $row->jsonSerialize(); | ||
| unset($rowData['tableId']); |
Contributor
There was a problem hiding this comment.
Why do we unset the tableId but not the column/row ids? What makes tableId more riskier
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
contributes to #67
links. It was not added to the existing ApiColumnsController, as it
requires the userId of the logged-in user and I did not want to weaken
this detail.
make ApiColumnsController extend it.
validation. It comes with the AssertShareToken attribute.
TablesPublicColumn specs. Essentially tableIDs are not exposed and
also user ids in lastEditBy and createdBy are not disclosed.
formatted result arrays.
Curl examples for added API endpoints
Create a share link without password
fetch column information
fetch all rows