Le Samedi 23 Novembre 2013 20:23 CET, Yuri D'Elia <[email protected]> a écrit:
> On 11/23/2013 01:52 AM, Daniel Berteaud wrote: > > Multi downloads/uploads for tickets and grants is probably better to > > have first, but here's an idea for a interesting feature: external > > users could ask a grant themself. > > > > Here's how I see it: for each users registered, dl creates a special > > URL (maybe using a hash of the login of some forme). This link could > > be added in email signature (To send me a file, click on this link). > > This page would present a form where the (external, unauthenticated) > > user should prove it's a human (email verification, or captcha for > > example), and if the user passed the test, he could acess the upload > > form. The corresponding registered user would then be notified > > exactly the same way grants are handled. > > I like the idea in general. > > > Of course this could have security implication, so should be: > > > > - optional > > - file check should be performed (AV, mime type > > black/white list) > > - internal users should receive the email/name of > > who sent the file > > Identification is the hard part. If you have just a fixed URL, there's > not much you can do to prevent anybody sending you a file. > > > Just an idea, but for my use, this would really be great. > > This got me thinking. > > What if "DL for thunderbird" generated automatically grant for every > email you sent and put the link in the signature like you said? Using DL for Thunderbird would have pro and con. Main problem I see: it would restrict this feature to TB users > > When creating the grant, I can automatically assign the identity in some > other field, so you can track from whom the file was sent. I can also > tag the grant differently, such as "automatically created" so that it > doesn't clutter the grant list and/or has different/shorter expiration > settings. This add another problem: how to handle muli-recipient emails ? What about this workflow: - DL generate a uniq, fixed URL per internal user - When an unauthenticated user goes on this URL, he's asked for an email and a captcha (no upload form yet) - If captcha is OK, DL send an email to the address provided with a link to the grant just created (So, this proves that the user entered his email address): this form lets him upload the file - the corresponding internal user receive a notification: You just receive a file from <email address>. If you trust him/here click here to download the file, else, you can click here to delete it The delete page could also show a box "Check this to ban this email address" so users could blacklist email addresses What do you think aout this ? -- Daniel Berteaud FIREWALL-SERVICES SARL. Société de Services en Logiciels Libres Technopôle Montesquieu 33650 MARTILLAC Tel : 05 56 64 15 32 Fax : 05 56 64 15 32 Web : http://www.firewall-services.com
