Add option to disable anonymous pad creation on the server side #1724
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Also it breaks invites, I'll try to fix that. |
mathilde-cryptpad
added
the
Feature Request
Wolf480pl
force-pushed
the
disable-anon-pad-creation
branch
from
ac81cd0 to
a1e325b
Compare
|
|
|
@Wolf480pl this would be such a cool feature ! |
|
I was trying to wrap my head around the frontend code responsible for the login and registration, and how it stores account data on the server, in order to make invites work with this change. But it's quite complex, and I ran out of time. I may try to return to this in the future, but if anyone else wants to give it a try that'd be cool too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is my first attempt at fixing #625
Looks like concept of "user" is very ambiguous in cryptpad, so I assumed
Users.getAllare the registered users.As far as I understand, in registration-disabled mode, these include all users created by accepting an invitation.
The admin can also add users manually to that list, which sounds useful.
Not sure how this handles SSO though.
Also, should I allow admins to create pads, even if they're not in Users?
I'd appreciate suggestions about better ways of obtaining something akin to a list of registered users.
Also, AFAIU this only prevents creation of channels (which seems to include userobjects, drive, etc) but not pins, blocks, and possibly other kinds of things that could be abused by an attacker to store arbitrary data.
I don't have a good grasp of those, or a good way to test for that (looks like the official client won't try to do these things when not logged in) so I'd also appreciate any pointers on how to handle those things.
Also, I don't have much experience with JS, so my code probably looks very awkward and unidiomatic - sorry about that.