Comments (19)
So I was thinking a bit more about this. And I'm still not 100% sure.
Because something else that comes to mind is that the owner can lose control or visibility.
Assume
- userA shares an image to userB
- userB creates a text file and inserts that image
- userB now shares this text file by link
This would mean that whoever has access to the link to the text file has access to the image. but this is not reflected in the sharing.
Maybe we could do it some other way. Basically when you share a document by link you share all the iamges in that document also by link. And then we use server/s/TOKEN/preview
to embed the image.
from text.
Yes, sounds like a good solution for the first release. We can always improve on that later.
from text.
Any chance of fixing this in the near future? AFAICS there is now simply no way to use images at all in a link-shared text document (i.e. using an external public URL is impossible too, see #359, as is using base64 urls, see #392). Or is there a workaround that I'm not seeing?
from text.
Makes sense for images. But for adding a link to a office document for example it would make sense to still reference the original file.
from text.
The preview also does not work for images that are shared, too, e. g. if you share a folder which contains the Markdown file the image file(s). In this case it should be possible without security issues. The text editor button to include an image also does not show eventhough there are accessible images in the same folder that could included.
from text.
This is resolved with #1900 as well
from text.
Yes, this is because the preview is only available if the accessing user has access to the file. We need to carefully think how we should handle this.
My initial idea was to show a placeholder for images that cannot be accessed with a link to the file and mentioning the owner.
from text.
Can’t we generate a larger preview which then is accessible? Or do you mean that by placeholder?
from text.
No, we cannot generate preview for files the user/guest doesn't have access to, as this would lead to a pretty bad data leak.
We could for sure try to have a separate preview endpoint for files included in the documents, but that really needs to be handled with care, so only the user who has access to the file is allowed to add it.
from text.
Ok, then for now we could indeed just show an emptycontent-container with .icon-image
and a line below like "Images are not supported in share views yet". Sounds good?
from text.
The placeholder is implemented and has a link to open the image. For further improvments let's move this to 2.0
from text.
A possible solution might be putting the pictures and the text-file (with those embedded pictures) inside the same folder. When sharing the folder e.g. over a public link, the pictures are then also accessible and therefore should be automatic visible inside the text-file for everyone who opens the txt-file over this public link. (And not just the internal link to the file, as it is today)
On the other hand: if you share a text-file with embedded pictures, you probably always want the pictures inside the text-file to be visible for everyone you are sharing the file with. (But also just inside the text-file) So this isn't a data leak. (Its just like sharing e.g. a docx-file with embedded pictures.
from text.
I though a bit more about this. The approach I would take for now is that the text app has a dedicated preview endpoint. When inserting an image we store the file id of the image and the text file for example in a new oc_text_embedded table. If the preview is requested then by the user though a share/share link we check if the table has a link between those two files and in that case return a preview of the file on the custom endpoint. The endpoint of course also needs to verify that the user actually has access to the text document.
from text.
Does this seem good @rullzer @MorrisJobke? ^
from text.
Yes a dedicated endpoint makes sense.
However it brings the bigger question to document editing. If I add a picture to a document. Do I expect that to be a link or the image at that time. In collabora/onlyoffice you insert the image at that time and not a link to the image.
from text.
Yeah, and we can do it in steps. For sure what’s expected for images is that the image shows in the document, so inserting it is probably easiest. Any linking to the original is something for a later step.
from text.
I though a bit more about this. The approach I would take for now is that the text app has a dedicated preview endpoint. When inserting an image we store the file id of the image and the text file for example in a new oc_text_embedded table.
So the endpoint would be provided solely by the text app and no change in the server core is needed?
If the preview is requested then by the user though a share/share link we check if the table has a link between those two files and in that case return a preview of the file on the custom endpoint. The endpoint of course also needs to verify that the user actually has access to the text document.
Is this logic going to be implemented within the boundaries of this app?
Additional question: Is this fix still expected to be part of the 18.0.1 release, i.e. is anyone going to spend time on it in the forseeable future, or was it simply moved out of the way of the 18.0 scope?
from text.
So the endpoint would be provided solely by the text app and no change in the server core is needed?
Should be just the text app, but this is quite some implementation effort so probably nothing for a patch release, therefore removing the milestone for now.
from text.
As from our discussion in regards to uploading images this could also be implemented in a similar way, where as other text editing solutions like Collabora Online or Google Docs would also just take a copy of the image and store it separately. So this could be a follow up implementation based on the linked PR.
from text.
Related Issues (20)
- Insert file name as default heading for new markdown files
- Interactive widgets are broken in text HOT 2
- New live preview/editing feature locks files forever HOT 5
- Update icons in "New" menu
- No possible to put a "mailto link" in a .md file HOT 1
- Link bubble: click outside no longer closes the bubble
- Interactive widget takes focus away from Talk chat input HOT 1
- Markdown Editor doesn't update ReadOnly
- Allow to provide custom extensions HOT 1
- Allow to provide a custom placeholder HOT 1
- No more preview on 28.0.3 from the smartpicker in text from internal link HOT 1
- Disable browser spellcheck inside code blocks
- Issue with y.js state loading for read only documents
- Translation modal language selection is not possible HOT 1
- Reduce size of headings relatively HOT 1
- Open text documents with lazy session initialization
- Further improve copy and paste behavior HOT 1
- Clarify relationship between link text and url HOT 3
- [stable28] Copied version number inside multiple paragraphs is escaped.
- Mention circle in markdown documents HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from text.