Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Enforced read-only mode for some viewers #1

Closed
comm2k opened this Issue · 6 comments

2 participants

@comm2k

We'd like to use ethercalc to provide real-time updates to people in different locations.

Scenario:
The original data (simple time-schedules) is copied from Excel and pasted into an ethercalc spreadsheet manually - everytime a change is made. However for certain 'viewers' in ethercalc we'd like to prevent them from being able to edit/manipulate the spreadsheet.

In other words a very simple user/group or access rights system would enable us to allow some people ('planning team') to enter updates, whereas others (clients) just receive the updates via ethercalc.

Thanks :-)

@audreyt
Owner

Thanks for creating issue #1 (and hopefully there'll be more to come)!

So would it be ok if, say, http://ethercalc.org/pagename becomes read only (with a server setting), but http://ethercalc.org/pagename/edit is password protected, for all values of "pagename"?

A full-fledged ACL-to-Page mapping is possible too, of course, but I'm trying to avoid over-complicating the administrative interface. :-)

@comm2k

Yes such a 'setting' would totally satisfy our needs, as we have total control of the server which is running ethercalc.

As for more issues - yes I will create some ;-)

@comm2k

I don't want to sound impatient - but just need some info for planning:
Do you think this feature could be implemented within ~1 month? Or do you have a plan/intention to implement this?

Thanks! :)

@audreyt
Owner

Sure! I should've communicated my plans better. :-)

There's definitely intention to implement this.

There's a OSDC.tw hackathon tomorrow where I'll be hacking (and hopefully teaching other folks) on EtherCalc to improve its REST API and read-only support with "ethercalc --key SECRET", so it should happen this weekend if not sooner.

@audreyt audreyt referenced this issue from a commit
@audreyt * Finish separate /:room/view and /:room/edit support for #1.
  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.
08a3b85
@audreyt
Owner

Hi @comm2k, please pull the latest code (900d279) and see if it is approximately what you'd like?

To quote the commit message:

  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.

If you'd like Basic Auth or some other way to restrict access to /:room/edit (instead of using a reverse proxy), please open a new issue for that. Thanks for the suggestion! :-)

@audreyt audreyt closed this
@audreyt
Owner

Also: Instead of setting up reverse proxy, if you're embedding EtherCalc within another app, it's also possible to manually construct an authenticated-edit link for selected users.

See the hmac function in main.coffee:

encoder = require('crypto').createHmac('sha256', KEY)
encoder.update ROOM
digest = encoder.digest('hex')

Here KEY is the value passed to "ethercalc --key", and ROOM is the spreadsheet page you're editing.

After calculating the digest, passing it to /ROOM?auth=DIGEST will show an editable rendering of the page.

Under that use case, simply comment out the three lines in src/main.ls beginning with:

@get '/:room/edit': ->

will make it impossible for users to gain edit access without getting the auth token from a service that knows the shared-secret KEY.

Let me know if this helps. :-)

@jeffhung jeffhung referenced this issue from a commit in jeffhung/cloudcalc
@audreyt * Finish separate /:room/view and /:room/edit support for #1.
  To enable this mode, start ethercalc with a "--key" parameter:

      ./bin/ethercalc --key 85b5dd7a-8afe-11e1-bca8-002332d309a4

  Under this mode, /:room simply redirects to the /:room/view URL.

  Using a reverse proxy to authenticate or restrict access to the
  /:room/edit URL scheme is currently required.
815d194
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.