-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add token to LinkAccessedEvent #6554
add token to LinkAccessedEvent #6554
Conversation
Signed-off-by: Christian Richter <crichter@owncloud.com>
03e2958
to
14a66a9
Compare
Signed-off-by: Christian Richter <crichter@owncloud.com>
e33b984
to
6d9ad6f
Compare
Kudos, SonarCloud Quality Gate passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good. Just blocking until above comment is resolved
The public link token is part of the url and will already show up in access logs anyway. So, I understand your concern, but I don't see a decrease in security. If users don't want their public links to be accessed ... set a password. |
IMO we should not log the token at all. And already having a security issue doesn't mean we should open another one. I also don't see the point in having the token logged. What is the admin supposed to do with that information? They would need to know whose link it is to be able to do any action. |
Seeing tokens in the access log is not a security issue per se, works as designed.... |
Not so sure about that, smells like bug to me. Anyways the access log is not part of this PR. So we should leave that out of discussion. Logging the access tokens in one place doesn't make it better to log them in another. |
I wouldn't say this is a But I agree. We need a product decision. /cc @micbar |
From my pov, this is not critical. We need to remember that "Public Links" are designed to be "public". |
@micbar so shall we merge this now? |
Yes. |
…it-public_link_token_in_event add token to LinkAccessedEvent
We added the link token to the LinkAccessedEvent
refs #3753