The portal had no login enforcement allowing unauthenticated user accessing the dashboard and all portal pages directly without logging in. i’ve added some extra code into install-libreworkspace.sh to create a middleware file and registered it in settings.py via sed.
there are some execptions to allow functionallity to the portal:
welcome - Setup wizard must be reachable before setup is complete
idm - Login page and user management
static - assets
API - REST API uses API key authentication — Linux client sync and automation would break
openid - OIDC flows are server-to-server with no browser session — Nextcloud SSO would break
media - Uploaded media files
robots.txt - Crawlers must be able to read the Disallow: / rule
i’ve only tested it by packgaging it into an an ISO and running it locally so i would appreciate if anyone else is able to see if the code works in their environment. this is a workaround, i think the .deb installer has is just missing the implementation of a it.
very cool, thanks for your addition!
Could be a nice idea to prevent even loading the portal without login in.
Just for your note: When you edit the Dashboard entries, there is an option to do exactly that: Display the entry only to logged in users in specific groups. This might help without doing your workaround, though I like your approach to insert this directly as a middleware.
Oh, I actually wasn’t aware of that option so that’s really useful to know! Though I think the middleware and dashboard visibility work nicely together rather than replacing each other.
The dashboard visibility, if I understood correctly, acts more like a role based feature that controls what users can see after they have already logged in. What I was trying to do with the middleware works a level below that. It stops unauthenticated users from accessing any URL directly, even if they skip the dashboard entirely and just type a portal URL into their browser.
TLDR: together they cover both bases. The middleware keeps unauthenticated users out, and the dashboard visibility controls what authenticated users can access. Hope that makes sense and thanks for the response!
On the dashboard visibility, could there be a simpler way to control what a user can see? For example a checkbox next to each app during account creation or user administration would feel more intuitive. I can see how the current numbering system works well for creating preset group roles to assign to users, but a simpler checkbox approach might be easier for day to day user management.
You will need then a checkbox for every single group at addon creation?
That doesnt seem intuitive to me
But maybe a multi select dropdown could be helpful at some time.
Thanks for your feedback!
