server <-> server sharing

[karlitschek]

It should be possible to mount a public link that someone receives as normal file/folder in the own ownCloud.

The scenario is this:

• user a sends a public link to user b.
• user b accesses the shared folder in the browser
• user b decides that this shared folder is helpful for future collaboration that is should be accessible in user b's owncloud, desktop, mobile,..
• user b takes the sharing link from user a and puts it into a tbd mount interface.
• the ownCloud for user b then mounts the folder via webdav from the owncloud of user a
• the public sharing key is used as webdav authentication

A hint in the public link sharing mail should be added so that the user understands that this is possible

[PVince81]

@icewind1991 I think we already talked about this a bit, you could start with making public links mountable as external storage.

[jancborchardt]

Actually I thought about this the other day and found good flow how to mount the share. Instead of »user b takes the sharing link from user a and puts it into a tbd mount interface.«:

• Frank shares a file/folder with Jan, they are not on the same ownCloud
• Jan gets the link through whatever channel Frank sends it to him
• On the public share page, there is a button next to the Download button saying »Add filename to your ownCloud« (or different wording making clear it’s a share instead of just copy)
• Then an input field appears, prompting you to put in the address of your ownCloud
• Jan puts in the URL (be it http or https or no protocol specified, and without webdav path afterwards)
• Jan is redirected to his ownCloud (new tab opens) – maybe needs to log in first
• The file/folder is added in his root folder, with the usual indicator of »Shared by Frank«. (could state more elaborate »user address« in the share dropdown.)

This would be a good flow because you probably know the address of your ownCloud and you don’t have to go copy the share link manually.

cc @DeepDiver1975 @Gomez with whom I talked about this. What do you think @karlitschek @owncloud/designers?

[LukasReschke]

Between

• Jan is redirected to his ownCloud (new tab opens) – maybe needs to log in first

and

• The file/folder is added in his root folder, with the usual indicator of »Shared by Frank«. (could state more elaborate »user address« in the share dropdown.)

A confirmation window is required to prevent CSRF since we have no requesttoken in such cases.

[jancborchardt]

What do you exactly mean? Couldn’t the link be added as a parameter? Like so:

jans-owncloud.com/?sharedfile=franks-owncloud.com/filetoken

ownCloud just needs a way to understand that parameter and then automatically add the file. Because from the user’s perspective, I already gave confirmation by putting in my ownCloud address.

[LukasReschke]

What do you exactly mean?

Your ownCloud server has no idea whether you actually sent the request by invoking an user action or by visiting a malicious site. That's how the HTTP protocol works, you have links like delete.php?filename=FOO and regardless from where the request is sent (e.g. from a form/javascript embedded in another website) all your cookies are sent with the request.

The CSRF token is a long random value which is sent with every request originating from the ownCloud instance that oC uses to verify that you really wanted to perform that action and not an attacker. The link looks now like delete.php?filename=FOO&requesttoken=averylongrandomvalue and since an attacker does not know the value of the requesttoken he can't trick your browser in sending such a request.

Couldn’t the link be added as a parameter?

That not something that we should do.

I already gave confirmation by putting in my ownCloud address.

Yes. But your own ownCloud server doesn't know that you've added the link on your own. It could also be a malicious scripts that floods your home folder.

[LukasReschke]

What we have to do is just a step in the user interaction more, if the user enters the URL he is redirected to his ownCloud instance and a modal is shown containing a question like: "Do you really want to add XYZ from Frank to your ownCloud?"

[karlitschek]

good idea. Additionally it should be possible to do it the other way around. So you go to your ownCloud server and past somewhere the sharing link that you got from someone to mount it into your ownCloud.

[jancborchardt]

Ok, the additional confirmation sounds not too intrusive.

@karlitschek yes, it should be possible both ways.

[PVince81]

Agree with the flow but would personally prefer inputting the remote URL into my own ownCloud as I don't necessarily want to "risk" giving away my ownCloud URL to the remote ownCloud.
On the other hand, once I've mouted it that person can the original from the access log, so it's probably not that important.

[jancborchardt]

Yeah – once you mount it, your ownClouds are connected anyway. So if you don’t want to risk giving away your URL, just download the file instead.

So it seems we could need 2 additional options in the »Download« dropdown:

• Save to your ownCloud (without sharing connection)
• Connect with your ownCloud (or different wording – with the sharing connection)

That separation could also be done in the verification step once you are redirected to your own ownCloud.

[PVince81]

Or "keep in sync" instead of "connect" ? It is more explicit and the user might better understand that the file will stay up to date when accessed.

[DeepDiver1975]

Or "keep in sync" instead of "connect"

But sync would give the impression that the remote files are stored in your ownCloud.
Feel more confusing to me ...

[PVince81]

Agreed. I guess we can always change the wording later.
Most important is to get the feature implemented in the first place 😉

[icewind1991]

Start of the "client side" code for this can be found over at #8399

[PVince81]

@icewind1991 does your PR contain a switch to disable server to server sharing ?
I think some users might want to prevent people mounting their ownCloud through public links.
If not, I will make a separate ticket for you.