Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Make it possible to set a password for guests #494

Open
miterion opened this issue Jun 21, 2017 · 26 comments
Open

Feature Request: Make it possible to set a password for guests #494

miterion opened this issue Jun 21, 2017 · 26 comments
Labels
docs Releated to new or missing documentation feature Wants to add a new feature Hacktoberfest

Comments

@miterion
Copy link

We currently use etherpad with a custom pad manager so we can set a password to view/edit a pad. This way the links can be shared and not be edited by anyone. Would it be possible to add this to hackmd?

@SISheogorath SISheogorath added docs Releated to new or missing documentation question You asked us something. We try to find the answer labels Oct 6, 2017
@SISheogorath
Copy link
Contributor

SISheogorath commented Oct 6, 2017

You can use the usual auth integrations + permission.

Set it to limited and only users that are able to authenticate to a pad, can edit or see it.

And sorry for the late response, we currently revisit all issues.

@SISheogorath SISheogorath added the feature Wants to add a new feature label Oct 6, 2017
@SISheogorath
Copy link
Contributor

Interesting idea:

You can set one password for a pad in the permission section and everyone who would find a 403 right now, like Guest when a note is marked as "Limited", "Protected" or "Private" or users in case of a "Private" one, will be prompted for the password. And additional checkbox, besides the password field should toggle write access to for these users.

It's a very basic feature, but should be enough.

@miterion
Copy link
Author

This would be very cool, would love to see this implemented or implement it myself

@SISheogorath
Copy link
Contributor

SISheogorath commented Oct 11, 2017

We would very welcome a PR ❤️. Can't say when I'll get into this.

Feel free to ask if you have questions 😄

Meet us in our Gitter-Space: Join the chat at https://gitter.im/hackmdio/hackmd

@SISheogorath
Copy link
Contributor

From a UI perspective I did some experiments:

Note implementation

With label at the bottom:

image


Without at the bottom:

image


With label but over the deletion in between:

image


Without label but over the deletion in between:

image


403-page implementation

screen shot 2017-10-14 at 22 43 47-fullpage


Right now, I didn't do any server-side implementation. So there is no branch for testing right now. I wonder what is preferred.

Any additional/alternative ideas?

@miterion
Copy link
Author

I would add a submit button to the 403 page, since many people would expect this.

@ccoenen
Copy link
Contributor

ccoenen commented Oct 14, 2017

regarding the different variants: I believe "note password" alone is not enough, it needs the extra label. Especially when something is already entered and the hint inside the input is no longer visible.

Also, input and label needs some margins left and right.

@SISheogorath
Copy link
Contributor

SISheogorath commented Oct 14, 2017

Is this better?

image


image


403 with button

screen shot 2017-10-15 at 00 32 20-fullpage


For people who want to develop the backend part:
https://github.com/SISheogorath/hackmd/tree/feature/guestPassword

Also an interesting question: Should the password be visible or not? Includes the question: do we store the password for the note as a real secret (hashed password) or as plaintext password

@SISheogorath SISheogorath removed the question You asked us something. We try to find the answer label Oct 14, 2017
@miterion
Copy link
Author

I have a few questions regarding the backend implementation:

Would love some feedback on these questions

@SISheogorath
Copy link
Contributor

It's actually a good question how to store or save the password during this time. I didn't really think about that right now.

In general, we should do this by passport as every other auth before.

https://github.com/antgraf/passport-localapikey <-- seems to be good and maintained

Our note password would be the API key in this case. Means, we need to implement the authentication strategy but not for the usual user accounts. This answers your question where to send the password. The usual /auth/<something> URL. I guess /auth/api would be fine.

I'm not sure if this works, but that's my idea for now.

@miterion
Copy link
Author

miterion commented Oct 17, 2017

I had an idea on how to make this without another authentication mechanism:

When a user sends the correct password for a note to the auth system the note id could be saved in the users session (when the password is correct). This way, the system only has to check whether the requested note id is in this session variable and grant/deny access to it.

Could this be done or are there problems with saving this into the session variable?

@SISheogorath
Copy link
Contributor

Sounds fine, too. Can you provide some example code? I'm not completely sure how the implementation looks like, feel free to surprise me ^^

@SISheogorath
Copy link
Contributor

If you can make it to land a PR until end of next week I'll review and merge it to 1.0.0-CE. Otherwise this Feature goes for next release

@miterion
Copy link
Author

miterion commented Dec 7, 2017

Please push it back to a later release, have a lot assignements at university right now

@SISheogorath SISheogorath added this to the Next release milestone Dec 7, 2017
@SISheogorath
Copy link
Contributor

@miterion hey, how is it going? Still interested in doing this?

@miterion
Copy link
Author

miterion commented Mar 9, 2018

@SISheogorath I do not think that I am able to work on this currently. If someone else wants to do it I would be really happy

@ccoenen
Copy link
Contributor

ccoenen commented Sep 5, 2018

I feel this is also related to #138, perhaps this is a way to have some notes encrypted?

@Yukaii Yukaii removed this from the 1.4.0 Release milestone Oct 5, 2019
@mgoldau
Copy link

mgoldau commented Apr 22, 2020

Hi, are there any update on this feature, to protect certain pads by password? By the way, the current permissions, are mostly concerning edit permissions, only "private" states that only myself can view the pad. However the usecase for me is that I want to have a private pad, where only users with the password can view and edit, regardless if they authenticated/logged in or not. As I am using the service in a mass-installation (gwdg), I don't want to share some sensitive pads with the whole community.

@mz83ude
Copy link

mz83ude commented Apr 30, 2020

Hi, are there any update on this feature, to protect certain pads by password? By the way, the current permissions, are mostly concerning edit permissions, only "private" states that only myself can view the pad. However the usecase for me is that I want to have a private pad, where only users with the password can view and edit, regardless if they authenticated/logged in or not. As I am using the service in a mass-installation (gwdg), I don't want to share some sensitive pads with the whole community.

Absolutely agree with the suggestion!

This is a necessary feature, especially in large installations (k-range).

@janit42
Copy link

janit42 commented Apr 30, 2020

+1

@alexpovel
Copy link

Also expressing interest in this.

@VaalaCat
Copy link

VaalaCat commented Nov 4, 2020

This feature is really necessary for me

@asakura42
Copy link

+1

2 similar comments
@jmsjsph
Copy link

jmsjsph commented Dec 23, 2021

+1

@zubair1024
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs Releated to new or missing documentation feature Wants to add a new feature Hacktoberfest
Projects
None yet
Development

No branches or pull requests