allow links to be saved without known owner #72
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willnorris
force-pushed
the
will/ownerless-links
branch
from
3cbcbe8 to
8ef119a
Compare
shayne
reviewed
Apr 21, 2023
willnorris
force-pushed
the
will/ownerless-links
branch
3 times, most recently
from
ad14992 to
724238f
Compare
If the current user can't be determined (either because of a legitimate
error within the localapi client, or the user is coming through a subnet
router and doesn't have a Tailscale IP address), and the
-allow-unknown-users flag is set, then go ahead and save new links
without an owner.
By saving links without an owner, these unknown users can continue to
modify the link, and actual Tailscale users can take ownership. Once the
link is owned, it can no longer be modified by anyone other than the
owner.
Links that use the current user by having `{{ .User }}` in their long
URL cannot be resolved by unknown users and will return an error.
Fixes #60
Signed-off-by: Will Norris <[email protected]>
willnorris
force-pushed
the
will/ownerless-links
branch
from
724238f to
1838c9e
Compare
Signed-off-by: Will Norris <[email protected]>
willnorris
force-pushed
the
will/ownerless-links
branch
from
22b6b3a to
fe06ab3
Compare
shayne
approved these changes
May 2, 2023
|
@kradalby I'm not sure what this nix build error means. I tried running the update-flake.sh script, which yeilded a new signature, but apparently it still doesn't match what nix is looking for? I'm going to submit this anyway, and we can try to address the nix issue later. |
|
Strange, I opened #76 to address this, the weird part is that I just ran update-flake.sh and it worked. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the current user can't be determined (either because of a legitimate error within the localapi client, or the user is coming through a subnet router and doesn't have a Tailscale IP address), go ahead and save the link without an owner. We are assuming that the requester should have permission to create links simply by virtue of being able to connect to the golink instance.
By saving links without an owner, these unknown users can continue to modify the link, and actual Tailscale users can take ownership. Once the link is owned, it can no longer be modified by anyone other than the owner.
The one potentially undesirable behavior this could introduce is if someone is serving their golink server over Funnel or any other public-facing proxy. Previously, that would have made golink read-only for non-Tailscale users. This change would make it read-write (for new links). Users desiring the old behavior would need to make their public-facing proxy only allow GET requests.
Fixes #60