Try the fastest and simplest way to install ONLYOFFICE

How to prevent other users from editing document

Any issues about docs (uploading, editing and etc.)

How to prevent other users from editing document

Postby ajosea » Tue Nov 29, 2016 7:27 pm

Hello,
maybe I'm missing some basic concept, but I can not imagine how to prevent users from modification of the client code, which will allow them to edit document.

1. I generate key for the document
2. I start to edit this document
3. I pass the key of the document to other person, my applications ensures that by default his editor will have permission which does not allow him to edit the document.
So far so good, but that person may simply change the document editor directly in browser, or simply prepare his own page targeting the same document server with the same document key. As a result he will be able to edit the document.

I 'm afraid that once I give the document key to somebody I'm always giving him possibility to write to the document.

Thanks for any clarification on this.

Best
Josef
ajosea
 
Posts: 4
Joined: Tue Nov 29, 2016 6:08 pm

Re: How to prevent other users from editing document

Postby Maxim » Wed Nov 30, 2016 11:27 am

Hello!
1 When you open a doc in the editor all changes you've made still keep in Document Editing Service. Not in a file. Closing the editor the request callback handler begin to perform saving a doc with specified user id. To save or not to save a doc depends on integrator.
2 Adding a user to edit a doc there is a request which must be executed to callback handler with status 1 and a list of allowed-to-edit users. If there is no allowed-to-edit user (with permission to edit a doc) you can execute a request to command service with c=drop and users=[userid] command where userid is user identifier.
3 We plan to add code signing mechanism between an integrator and editor to guarantee that the code has not been altered or corrupted since it was signed
Maxim
 
Posts: 911
Joined: Tue Oct 11, 2016 2:34 pm

Re: How to prevent other users from editing document

Postby ajosea » Wed Nov 30, 2016 11:41 pm

Hello,
thank you very much for your reply.

If I understood it well, I have to generate unpredictable user ids, which will in fact play a role of a password. If the potential attacker does not know user id of anybody else, I can effectively prevent him from doing anything. Can you please confirm that user viewing the document can see only name and email of the other users and has never access to their userid?

Thanks

Best

Josef
ajosea
 
Posts: 4
Joined: Tue Nov 29, 2016 6:08 pm

Re: How to prevent other users from editing document

Postby Maxim » Thu Dec 01, 2016 1:33 pm

Hello!
No you don't need use userid like a password, even if a potential attacker knows userid he can't do anything.
Maxim
 
Posts: 911
Joined: Tue Oct 11, 2016 2:34 pm

Re: How to prevent other users from editing document

Postby ajosea » Thu Dec 01, 2016 2:31 pm

But the attacker can pretend he is somebody else. Knowing userid of someone who has editing allowed, the attacker can prepare his own webpage and specify the userid in the editorConfig section.

Code: Select all
<script>
new DocsAPI.DocEditor("placeholder", {
    "documentType": "text",
    "document": {
        "fileType": "docx",
        "key": "WWZYXnda1",
        "title": "Examplede Document Title.docx",
        "url": "https://server/file.docx",
    },
 "editorConfig": {
        "lang": "en-US",
        "mode": "edit",
        "user": {
            "firstname": "John",
            "id": "78e1e841", // ID of the person with editing allowed
            "lastname": "Smith",
        },
    },
});
</script>
ajosea
 
Posts: 4
Joined: Tue Nov 29, 2016 6:08 pm

Re: How to prevent other users from editing document

Postby Maxim » Fri Dec 02, 2016 8:12 am

Hello!
We have update of Document Server (ver. 4.2) and now we are preparing the documentation to that release. It will help you! I will post later the link to that instructions.
Maxim
 
Posts: 911
Joined: Tue Oct 11, 2016 2:34 pm

Re: How to prevent other users from editing document

Postby Maxim » Fri Dec 02, 2016 12:45 pm

Hello!
As i promised there is Documentation to prevent the substitution of important parameters in ONLYOFFICE™ Document Server requests. And see Signature configuration section to find more.
Maxim
 
Posts: 911
Joined: Tue Oct 11, 2016 2:34 pm

Re: How to prevent other users from editing document

Postby ajosea » Mon Dec 05, 2016 9:39 pm

Great,
that is exactly what I was looking for.

Thank you very much

Best

Josef
ajosea
 
Posts: 4
Joined: Tue Nov 29, 2016 6:08 pm

Re: How to prevent other users from editing document

Postby Maxim » Tue Dec 06, 2016 7:51 am

Hello!
We are glad to help you! Enjoy OnlyOffice!
Feel free to contact us!
Maxim
 
Posts: 911
Joined: Tue Oct 11, 2016 2:34 pm


Return to Documents

Who is online

Users browsing this forum: No registered users and 2 guests