Share link doesn't work between spaces for logged in users

[kpontussvensson]

Version

Please provide your current version (can be found on the system page since v0.8.4)
Version: 1.0.3

Bug description

Me and my girlfriend and my brother and his family decided to split up our recipes into two separate spaces to not overcrowd eachother with recipes we are not interested in thinking we could just create a shareable link for recipes that we want to share.

Recently we noticed that we can't access a shared recipe while being logged in to a user that doesn't have access to the space where the recipe is in. We can see the recipe however if we log out.

We'd hoped that we could share recipes between eachother inside Tandoor and be able to save it to our own space either with the import feature or just by some built in feature. But as I stated above it turned out we can't even see the shared recipe while being logged in.

How to reproduce

1. Create a User A with access to only Space A
2. Create a User B with access to only Space B
3. Create a recipe in Space A and create a shareable link to the recipe
4. Try to access the shared recipe link while being logged on to User B

[vabene1111]

ok i can definitely see this happening, not sure how easy it is to fix this but we will see. Also just to let you know it is 100% planned to add the ability to be part of multiple spaces and see recipes of other spaces within your own (probably with a filter).

i will look into this, thanks for reporting

[HarHarLinks]

Not being able to view a publicly shared recipe because you're not supposed to based on your space is really annoying :(

[vabene1111]

I know, having about a thousand things to do at work and in tandoor that prevent me from working on this issue too, but not much I can do about it.

Will work on this as soon as possible.

[vabene1111]

ok so finally got to looking at this. sadly its not as easy as i tough. Since i lack the time to finish this now i am writing down what needs to be done next time:

The share function needs to purposly disable some security measures because share bypasses all normal mechanisms, this needs to be implemented on the middleware level to exempt this particular function from the normal space wrapper.

the middleware needs a filter to only let detail request of the recipe api trough

            if request.path.startswith(prefix + '/api/recipe/') and re.match(r'.*api/recipe/[1-9]+\d*/\?share=.*', request.path):
                return self.get_response(request)

after that the scoped dimension needs to be added to the api function in api.py

[smilerz]

@vabene1111 did you fix this? I thought so, but I don't do space sharing to test.

[vabene1111]

no this is likely not yet fixed sadly 😕