however need only changing in the owners files, as there is only one copy of
these.
+Publicly shared files (public links)
+------------------------------------
+
+Files shared via public links use a separate system user account called 'ownCloud'. All public files are shared to that user's public key, and the private key is used to access the files when the public link is used in browser.
+
+This means that files shared via public links are accessible only to users who know the shared URL, or to admins who know the 'ownCloud' user password.
+
+Lost password recovery
+----------------------
+
+In order to enable users to read their encrypted files in the event of a password loss/reset scenario, administrators can choose to enable a 'recoveryAdmin' account. This is a user that all user files will automatically be shared to of the option is enabled. This allows the recoveryAdmin user to generate new keyfiles for the user. By default the UID of the recoveryAdmin is 'recoveryAdmin'.
+
Notes
-----
\r
// Manually initialise Filesystem{} singleton with correct \r
// fake root path, in order to avoid fatal webdav errors\r
- \OC\Files\Filesystem::init( $params['uid'] . '/' . 'files' . '/' );\r
+ \OC\Files\Filesystem::init( $params['uid'], '/' . 'files' . '/' );\r
\r
$view = new \OC_FilesystemView( '/' );\r
\r
$util = new Util( $view, $userId );\r
$path = $util->fileIdToPath( $params['itemSource'] );\r
\r
- $usersSharing = \OCP\Share::getUsersSharingFile( $path, true );\r
+ // Note: this currently doesn't include the owner due to \OC\Files\Filesystem::getOwner()\r
+ $usersSharing = $util->getUsersSharingFile( $path );\r
\r
// Recursively expand path to include subfiles\r
$allPaths = $util->getPaths( $path );\r
$(document).ready(function(){
+ // Trigger ajax on filetype blacklist change
$('#encryption_blacklist').multiSelect({
oncheck:blackListChange,
onuncheck:blackListChange,
createText:'...'
});
+ // Trigger ajax on recoveryAdmin status change
+ $( 'input:radio[name="adminEnableRecovery"]' ).change(
+ function() {
+ $.post(
+ '../ajax/adminrecovery.php'
+ , $( this ).val()
+ , function( data ) {
+ // TODO: provide user with feedback of outcome
+ }
+ );
+ }
+ );
+
function blackListChange(){
var blackList=$('#encryption_blacklist').val().join(',');
OC.AppConfig.setValue('files_encryption','type_blacklist',blackList);
$result = true;
}
- if ( !result ) {
+ if ( ! $result ) {
+
\OC_Log::write( 'Encryption library', 'Could not delete shareKey; does not exist: "' . $shareKeyPath, \OC_Log::ERROR );
+
}
\OC_FileProxy::$enabled = false;
if ( \OCP\Share::isEnabled() ) {
// Find out who, if anyone, is sharing the file
- $shareUids = \OCP\Share::getUsersSharingFile( $filePath, true );
+ $shareUids = \OCP\Share::getUsersSharingFile( $filePath, true, true, true );
$userIds = array_merge( $userIds, $shareUids );
if ( ! is_resource( $this->handle ) ) {
- \OCP\Util::writeLog( 'files_encryption', 'failed to open file "'.$this->rootView . '"', \OCP\Util::ERROR );
+ \OCP\Util::writeLog( 'files_encryption', 'failed to open file "' . $this->relPath . '"', \OCP\Util::ERROR );
} else {
/**
* @brief Filter an array of UIDs to return only ones ready for sharing
* @param array $unfilteredUsers users to be checked for sharing readiness
- * @return array $userIds filtered users
+ * @return multi-dimensional array. keys: ready, unready
*/
public function filterShareReadyUsers( $unfilteredUsers ) {
foreach ( $unfilteredUsers as $user ) {
$util = new Util( $this->view, $user );
+
+ $readyIds = $unreadyIds = array();
// Check that the user is encryption capable, or is the
// public system user 'ownCloud' (for public shares)
or $user == 'ownCloud'
) {
- // Construct array of just UIDs for Keymanager{}
- $userIds[] = $user;
+ // Construct array of ready UIDs for Keymanager{}
+ $readyIds[] = $user;
} else {
-
+
+ // Construct array of unready UIDs for Keymanager{}
+ $unreadyIds[] = $user;
+
// Log warning; we can't do necessary setup here
// because we don't have the user passphrase
- // TODO: Provide user feedback indicating that
- // sharing failed
\OC_Log::write( 'Encryption library', '"'.$user.'" is not setup for encryption', \OC_Log::WARN );
}
}
- return $userIds;
+ return array (
+ 'ready' => $userIds
+ , 'unready' => $unreadyIds
+ );
}
// Make sure users are capable of sharing
$filteredUids = $this->filterShareReadyUsers( $users );
+// trigger_error( print_r($filteredUids, 1) );
+
+ if ( ! empty( $filteredUids['unready'] ) ) {
+
+ // Notify user of unready userDir
+ // TODO: Move this out of here; it belongs somewhere else
+ \OCP\JSON::error();
+
+ }
+
// Get public keys for each user, ready for generating sharekeys
- $userPubKeys = Keymanager::getPublicKeys( $this->view, $filteredUids ); // TODO: check this includes the owner's public key
+ $userPubKeys = Keymanager::getPublicKeys( $this->view, $filteredUids['ready'] ); // TODO: check this includes the owner's public key
\OC_FileProxy::$enabled = false;
return true;
}
+
+ /**
+ * @brief Returns the users who are sharing a file, including the file owner
+ * @param $path Relative path of the file, like files/file.txt
+ * @return $users array of UIDs
+ * @note This wraps the OCP\Share method, but includes the owner even if
+ * the file isn't registered in sharing API
+ */
+ public function getUsersSharingFile( $path ) {
+
+ $users = \OCP\Share::getUsersSharingFile( $path, true, true );
+
+ // FIXME: this is returning empty :/
+ $owner = \OC\Files\Filesystem::getOwner( $path );
+
+// trigger_error( var_export( $owner, 1));
+
+ $users[] = $owner;
+
+ return array_unique( $users );
+
+ }
- /**
+ /**
* @brief get uid of the owners of the file and the path to the file
* @param $filename
* @return array
$blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', '' ) );
+// Check if an adminRecovery account is enabled for recovering files after lost pwd
+$view = new OC_FilesystemView( '' );
+$util = new \OCA\Encryption\Util( $view, \OCP\USER::getUser() );
+$recoveryEnabled = $util->recoveryEnabled();
+
$tmpl->assign( 'blacklist', $blackList );
$tmpl->assign( 'encryption_mode', \OC_Appconfig::getValue( 'files_encryption', 'mode', 'none' ) );
+$tmpl->assign( 'recoveryEnabled', $recoveryEnabled );
\OCP\Util::addscript( 'files_encryption', 'settings' );
\OCP\Util::addscript( 'core', 'multiselect' );
<p>
<strong><?php p($l->t( 'Encryption' )); ?></strong>
+ <br />
<?php p($l->t( "Exclude the following file types from encryption:" )); ?>
<br />
<?php endforeach;?>
</select>
</p>
+ <p>
+ <?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
+ <br />
+ <input
+ type='radio'
+ name='adminEnableRecovery'
+ value='1'
+ <?php echo ( $_["recoveryEnabled"] == 1 ? 'checked="checked"' : '' ); ?> />
+ <?php p($l->t( "Enabled" )); ?>
+ <br />
+
+ <input
+ type='radio'
+ name='adminEnableRecovery'
+ value='0'
+ <?php echo ( $_["recoveryEnabled"] == 0 ? 'checked="checked"' : '' ); ?> />
+ <?php p($l->t( "Disabled" )); ?>
+ </p>
</fieldset>
</form>
projects / nextcloud-server.git / commitdiff