Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Enforced read-only mode for some viewers #1

Closed
comm2k opened this Issue Apr 15, 2012 · 6 comments

Comments

Projects
None yet
2 participants

comm2k commented Apr 15, 2012

We'd like to use ethercalc to provide real-time updates to people in different locations.

Scenario:
The original data (simple time-schedules) is copied from Excel and pasted into an ethercalc spreadsheet manually - everytime a change is made. However for certain 'viewers' in ethercalc we'd like to prevent them from being able to edit/manipulate the spreadsheet.

In other words a very simple user/group or access rights system would enable us to allow some people ('planning team') to enter updates, whereas others (clients) just receive the updates via ethercalc.

Thanks :-)

Owner

audreyt commented Apr 15, 2012

Thanks for creating issue #1 (and hopefully there'll be more to come)!

So would it be ok if, say, http://ethercalc.org/pagename becomes read only (with a server setting), but http://ethercalc.org/pagename/edit is password protected, for all values of "pagename"?

A full-fledged ACL-to-Page mapping is possible too, of course, but I'm trying to avoid over-complicating the administrative interface. :-)

comm2k commented Apr 15, 2012

Yes such a 'setting' would totally satisfy our needs, as we have total control of the server which is running ethercalc.

As for more issues - yes I will create some ;-)

comm2k commented Apr 20, 2012

I don't want to sound impatient - but just need some info for planning:
Do you think this feature could be implemented within ~1 month? Or do you have a plan/intention to implement this?

Thanks! :)

Owner

audreyt commented Apr 20, 2012

Sure! I should've communicated my plans better. :-)

There's definitely intention to implement this.

There's a OSDC.tw hackathon tomorrow where I'll be hacking (and hopefully teaching other folks) on EtherCalc to improve its REST API and read-only support with "ethercalc --key SECRET", so it should happen this weekend if not sooner.

@audreyt audreyt added a commit that referenced this issue Apr 20, 2012

@audreyt audreyt * Finish separate /:room/view and /:room/edit support for #1.
  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.
08a3b85
Owner

audreyt commented Apr 20, 2012

Hi @comm2k, please pull the latest code (900d279) and see if it is approximately what you'd like?

To quote the commit message:

  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.

If you'd like Basic Auth or some other way to restrict access to /:room/edit (instead of using a reverse proxy), please open a new issue for that. Thanks for the suggestion! :-)

@audreyt audreyt closed this Apr 20, 2012

Owner

audreyt commented Apr 20, 2012

Also: Instead of setting up reverse proxy, if you're embedding EtherCalc within another app, it's also possible to manually construct an authenticated-edit link for selected users.

See the hmac function in main.coffee:

encoder = require('crypto').createHmac('sha256', KEY)
encoder.update ROOM
digest = encoder.digest('hex')

Here KEY is the value passed to "ethercalc --key", and ROOM is the spreadsheet page you're editing.

After calculating the digest, passing it to /ROOM?auth=DIGEST will show an editable rendering of the page.

Under that use case, simply comment out the three lines in src/main.ls beginning with:

@get '/:room/edit': ->

will make it impossible for users to gain edit access without getting the auth token from a service that knows the shared-secret KEY.

Let me know if this helps. :-)

@jeffhung jeffhung added a commit to jeffhung/cloudcalc that referenced this issue Apr 21, 2012

@audreyt @jeffhung audreyt + jeffhung * Finish separate /:room/view and /:room/edit support for #1.
  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.
815d194

@audreyt audreyt pushed a commit that referenced this issue Oct 19, 2014

@ocdtrekkie ocdtrekkie Merge pull request #1 from audreyt/master
Update with 20140730 from audreyt
a1a4a4d

@audreyt audreyt pushed a commit that referenced this issue Mar 15, 2016

@sank64 sank64 Merge pull request #1 from sank64/sank64-greentheme1
Green ethercalc theme compliant
9f28748

@audreyt audreyt pushed a commit that referenced this issue Jul 4, 2016

@rugk rugk Merge pull request #1 from audreyt/master
update from upstream
9dc37ae
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment