Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebDAV: Endpoints must be fully disabled in public mode #2464

Closed
lastzero opened this issue Jun 25, 2022 · 14 comments
Closed

WebDAV: Endpoints must be fully disabled in public mode #2464

lastzero opened this issue Jun 25, 2022 · 14 comments
Assignees
Labels
bug Something isn't working released Available in the stable release

Comments

@lastzero
Copy link
Member

lastzero commented Jun 25, 2022

As a user running their instance in public mode, I expect WebDAV to be completely disabled as it is not possible to manage access in the web UI, it does not work without a password, and it is not possible to use it without a password to prevent abuse.

Although and because it is not possible to use WebDAV in public mode (a non-empty password is required), the endpoint must be completely disabled to avoid running unused services and to clearly signal that support is neither intended nor desirable.

  • the User Guide clearly states that WebDAV is automatically disabled when running in read-only or public mode
  • a support request indicated that endpoints were only fully disabled in read-only and/or demo mode
  • these are often enabled in combination with public mode, which is probably why it was not noticed earlier

This issue has nothing to do with the ability to explicitly disable WebDAV in the configuration, that was possible before and still is.

@lastzero lastzero added the bug Something isn't working label Jun 25, 2022
@lastzero lastzero self-assigned this Jun 25, 2022
lastzero added a commit to photoprism/photoprism-docs that referenced this issue Jun 25, 2022
@lastzero lastzero added please-test Ready for acceptance test released Available in the stable release and removed please-test Ready for acceptance test labels Jun 27, 2022
lastzero added a commit to photoprism/photoprism-docs that referenced this issue Jun 29, 2022
see photoprism/photoprism#2464

Signed-off-by: Michael Mayer <michael@photoprism.app>
@david1155
Copy link

Hello,
I'm using external two-factor auth (Authelia) for the frontend. Therefore, I set PHOTOPRISM_PUBLIC=true.
I also use several devices with PhotoSync to automatically upload media via WebDav (with password auth passthrough frontend auth). Please advise how is it possible to continue using WebDAV upload functionality without using built-in web auth for the whole PhotoPrism?
Maybe it's worth implementing something like this to allow such use-case:

PHOTOPRISM_DISABLE_WEBDAV=false
PHOTOPRISM_PUBLIC=true

Thank you very much in advance.

@lastzero
Copy link
Member Author

lastzero commented Jul 3, 2022

You could run a custom file server. How did it work before? Were you able to use WebDAV without password?

@david1155
Copy link

I used the following nginx frontend config:

location /import {
  auth_basic    off;
  dav_methods                 PUT DELETE MKCOL;# COPY MOVE;
  create_full_put_path        on;
  dav_access                  user:rw  group:rw  all:r;
  dav_ext_methods             PROPFIND OPTIONS;
  proxy_pass http://127.0.0.1:2342;

PhotoSync has a built-in PhotoPrism plugin for authenticating via WebDAV. In fact, I used a standard admin account and password to authenticate. It was more convenient than a custom file server because PhotoPrism starts importing instantly after upload.

@david1155
Copy link

It was configured long time ago per documentation
Screenshot 2022-07-03 at 18 58 53

@bschnei
Copy link

bschnei commented Aug 8, 2022

It was also useful for me to have the front end be "public" but the WebDAV endpoint still require authorization for similar reasons as @david1155. No disagreement that that behavior feels inconsistent with the definition of "public" so I'm supportive of the change for that reason, but it would also be great if the two things were separately configurable rather than all-or-nothing.

@ChrisYx511
Copy link

How it worked was even if the server was set to PUBLIC, authentication via WEBDAV still used the admin username and password that would be the password to login to Photoprism if it was set to private/password authentication.

@legomannetje
Copy link

Sorry for responding to this old issue, but would it be possible to use the webdav in public mode. We used this feature to upload pictures to photoprism, while others could only look at them. Or is the current advice to move the pictures to an other backend?

@lastzero
Copy link
Member Author

If it is public, they cannot only look at them but would have full server access. That's why authentication with a password is required.

@legomannetje
Copy link

In public mode with read-only we were able to upload pictures to the webdav. But since updating this isn't working anymore

@lastzero
Copy link
Member Author

Right, that was the security issue we fixed. That should not be allowed.

@legomannetje
Copy link

Okay, then it's back into the documentation to see how to upload pictures to it while its in public mode! Thanks for your help, and all your work on this amazing app!

@lastzero
Copy link
Member Author

You could use SSH / SCP or a network file system for that.

@legomannetje
Copy link

The problem is, we don't have those access to it currently, we were very happy that we could do it this way with a reverse nginx proxy. But thats something we will need to solve

@bschnei
Copy link

bschnei commented Nov 30, 2022

@legomannetje FWIW, if you're willing to build from source yourself, you can just change this line to restore previous behavior.

@lastzero lastzero moved this to Released 🌈 in Roadmap 🚀✨ Jun 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working released Available in the stable release
Projects
Status: Release 🌈
Development

No branches or pull requests

5 participants