-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebDAV: Endpoints must be fully disabled in public mode #2464
Comments
photoprism/photoprism#2464 Signed-off-by: Michael Mayer <michael@photoprism.app>
see photoprism/photoprism#2464 Signed-off-by: Michael Mayer <michael@photoprism.app>
Hello,
Thank you very much in advance. |
You could run a custom file server. How did it work before? Were you able to use WebDAV without password? |
I used the following nginx frontend config:
PhotoSync has a built-in PhotoPrism plugin for authenticating via WebDAV. In fact, I used a standard admin account and password to authenticate. It was more convenient than a custom file server because PhotoPrism starts importing instantly after upload. |
It was configured long time ago per documentation |
It was also useful for me to have the front end be "public" but the WebDAV endpoint still require authorization for similar reasons as @david1155. No disagreement that that behavior feels inconsistent with the definition of "public" so I'm supportive of the change for that reason, but it would also be great if the two things were separately configurable rather than all-or-nothing. |
How it worked was even if the server was set to PUBLIC, authentication via WEBDAV still used the admin username and password that would be the password to login to Photoprism if it was set to private/password authentication. |
Sorry for responding to this old issue, but would it be possible to use the webdav in public mode. We used this feature to upload pictures to photoprism, while others could only look at them. Or is the current advice to move the pictures to an other backend? |
If it is public, they cannot only look at them but would have full server access. That's why authentication with a password is required. |
In public mode with read-only we were able to upload pictures to the webdav. But since updating this isn't working anymore |
Right, that was the security issue we fixed. That should not be allowed. |
Okay, then it's back into the documentation to see how to upload pictures to it while its in public mode! Thanks for your help, and all your work on this amazing app! |
You could use SSH / SCP or a network file system for that. |
The problem is, we don't have those access to it currently, we were very happy that we could do it this way with a reverse nginx proxy. But thats something we will need to solve |
@legomannetje FWIW, if you're willing to build from source yourself, you can just change this line to restore previous behavior. |
As a user running their instance in public mode, I expect WebDAV to be completely disabled as it is not possible to manage access in the web UI, it does not work without a password, and it is not possible to use it without a password to prevent abuse.
Although and because it is not possible to use WebDAV in public mode (a non-empty password is required), the endpoint must be completely disabled to avoid running unused services and to clearly signal that support is neither intended nor desirable.
This issue has nothing to do with the ability to explicitly disable WebDAV in the configuration, that was possible before and still is.
The text was updated successfully, but these errors were encountered: