Shared links and privacy

Hi,

I think there is a issue about privacy in the way shared links are dispoalyed in the admin interface

If an admin can see all links shared by other users here :

https://seafile.domain.fr/sys/publinkadmin/

He can potentially access all files shared by others, such as :

https://seafile.domain.fr/f/[token]` (also for /d/)

As far as there is an option in seahub settings

ENABLE_SYS_ADMIN_VIEW_REPO = False

I think that when this option is set to False it should also mask the tokens displayed in sysadmin wiew, in order to prevent the admin of accessing all files shared by users.

This could be a bonus for GDPR compliancy

Regards,

Gautier

1 Like

Given that the admin can get the files anyway (get the tokens from db, get the tokens from delete action of the link, run fuse, copy library, …) I don’t think this would improve anything.

I dont’ agree.

There are different kind of admins : technical profile, management profile (seafile admin)
They may have differnt acces rights (and abilities) to the files

A seafile admin may not have access to the database nor SSH commands

ENABLE_SYS_ADMIN_VIEW_REPO is an option dedicated to seafile admins.

Then we should extend its scope to all information available from the admin view

That’s also why Audit feature can be turned off.

Regards

Turning the audit feature off is not comparable as it stops collecting the data.

So basically what you ask for seams to be an option to disable the share link page (although the share link ids haven’t always been displayed they were available all the time - since the page exists).

Btw: Admins can also use an API to transfer a library and one to delete a library - of any user of course.

You’re right : it’s not exactly comparable but it exits because of privacy concerns

Having the ability to delete a shared link is a security feature (if the files that is acessible must not be accessible anymore).
What i think about is a “mask” (of whatever can do the same) of the token. The token (and the delete link) could be accessible by a button.
As admins can not see the data inside the libraries, they can ttranfer it to their own account. But t is done intentionnaly, in two steps, for security and management reasons.

I’m not skilled enough to use the API :wink:
But it is the same idea in admin view.

Well, i won’t argue so long : it was just an idea that came to my mind when i discovered the ability to access shared links by this way (I’m a data protecton offiicer, in my university) :sunglasses:

1 Like

Just wanted to outline that only very responsible people should get admin access and these should have strong password - or even better 2 factor authentication.