The link above does not provide security. As mentioned previously, without a token a user can escalate the read session to a write session and modify documents they only have read access to. Also, applying a firewall is only helpful if all your users are on a limited number of networks.
Hey odontomachus,
I have to disagree. I am the author of the blogpost and I can confirm that the mentioned ipfilter does prevent the abuse of your onlyoffice installation from another server.
Here is my setup I tested:
Server 1 with seafile, nginx, onlyoffice. Onlyoffice is accessible via https://cloud.example.com/onlyoffice
Server 2 is another server anywhere on the internet with seafile. Without ipfilter it is possible to the following to the seahub_settings.py:
# Enable Only Office
ENABLE_ONLYOFFICE = True
...
ONLYOFFICE_APIJS_URL = 'https://cloud.example.com/onlyoffice/web-apps/apps/api/documents/api.js'
....
To prevent that anybody else can abuse your onlyoffice instance it is sufficient to add the mentioned ipfilter for “cloud.example.com” to the onlyoffice config file.
As soon as there is an ipfilter another seafile instance will show the following error it an office document is opened:
I totally agree that this is not sufficient and does not tackle the other security aspects you mentioned.
Best regards
Christoph
1 Like
Never ending story 
Having the same problem at my end.
I already had integrated an onlyoffice server in another cloud service with enabled JWT_SECRET Parameter but since there is no possibility to define the JWT_SECRET parameter inside seahub_settings.py, I had to disable the secret key on onlyoffice docker and restrict to those domains who access the onlyoffice docker server, which is actually the only workaround for restricted use of onlyoffice but difficult to maintain after every onlyoffice docker update, even we can apply the following volumen workaround. This mounting volumen workaround could be broken by new parameters inside /etc/onlyoffice/documentserver/default.json Let’s see how long it works this WA at my end…
An implementation of an JWT_SECRET Key in Seafile is the only realiable solution.
3 Likes
We will look into JWT Secret.
2 Likes
Hi Daniels,
Any news for secret key ?
Thanks
It is included in the latest release 7.1.3.