Permalink to file resource

feature-request

#1

I would like to be able to use OC as an ad-hoc object repository allowing other services to link directly to
the file resources being stored. Currently, files that are shared provide links that load the OC interface.
I would like to generate a link to the file itself, which could be used to, for example, insert into an <img url="http://oc.mysite.com/permahash?93nd939kdw02f"> tag or otherwise.
For files that are shared publicly, the permalink would load the resource, e.g. http://oc.mysite.com/permahash?93nd939kdw02f.
For a file that is shared internally, the user must include their API Key to authenticate access, e.g. http://oc.mysite.com/permahash?93nd939kdw02f&key=93098230j3jonaskldn23909320.

Has such a feature been requested before?


#2

What shall happen instead of the ownCloud UI? Download - that we have, just add /download at the end of the link you currently get from the API. What we struggle with is to create something which uses the public link for people who are not users, but the internal link for those who are ...
In any case the authentication is not part of the link today. Please look into the current APIs to generate the public and permanent links (currently called local link) and then open an issue in github for /core if thats not working for you and why ...


#3

But embedding a file shared from ownCloud won't work due to its security implications (e.g. Cross-Site Scripting).

Ref:


#4

Hm, I am sure there is a way if its needed. Seems at the very end of this issue a solution is actually provided, ok using curl ... but something ... :wink:
Please @ted.strauss tell us a little bit more about what exactly you need and if the above already works. Seems embeeded links need to have like .jpg at the end but thats not you seem to ask for in the first place ...


#5

Not even that according to a post at the linked issue:

Nope. We always send a header to mark this as download and not as inline view. There are security problems with this, because then you can share a JS file and use this to inject code, because it is from the same domain. We would need to have a separat (sub-) domain to get the shares from.

-> https://github.com/owncloud/core/issues/16470#issuecomment-155356185


#6

Thanks all. I'm trying out some of these approaches for my use case, and will come back with an update soon. Being able to import a file to another web-app using a url is a pretty common scenario these days, so i'll test out if /download works for my case.

But having the security layer is kind of important... being able to authenticate via URL with an API key would be useful in a number of ways. But after searching it appears that there is no API key feature implemented in OC. So that would be a separate feature request.

If API keys haven't been implemented yet, I'm guessing there was a security issue or design decision made about that.


#7

The API we have is WebDAV for that we also have authentication of course. Maybe that fits your use case.


#8

But I think that would require putting plaintext password in the URL, which wouldn't be good. An API key extension could provide configurable access to resources based on user's shares, independent of the password, that would make files accessible to a HTTP(S) request.

I think this is a key feature of an object store, like Amazon S3 or OpenStack Swift.


#9

Ok, checked with my engineers:
For public link shares: no - not possible at this time ...
For regular endpoints that support a user's password, the user can create an application token in the personal page to use as an alternative password. But not recommended for embedding because the token gives full access to the OC instance
10.0 will provide guest users, which might be jailed enough for you for the above.

There is also a first implementation of oAuth2 which might or might not fullfil your needs.