Hi Matthew On Sun, Jan 13, 2019 at 10:26:36PM +0000, Matthew Wild wrote: > Hi JC, thanks for the patch! I think being able to identify the uploader > is essential for many services, so thanks for tackling this. > I don't have time for a full review right now, but a couple of things > would have me request that you hold off pushing this to the repo just yet. > I read the diff on my phone, and may be missing stuff, but it seems the q > (quota) parameter is not signed, so open to modification by the user > (probably not wanted).
Yes, Jonas pointed this out to me as well. I'll update accordingly. > Also, I see this modifies the existing v/v2 protocols.. is it 100% > backwards compatible? Even if it is right now, I don't think it will be if > we need to keep 'q' and sign it. This leads me to prefer a v3. Ok. Apparently you already have some thoughts wrt v3, right? I'll keep the changes in my own fork for now and see how things progress with v3. Regards JC > On Sun, 13 Jan 2019, 12:22 JC Brand <[1][email protected] wrote: > > Hi folks > > This patch for mod_http_upload_external does two things: > > 1. It adds a new config option `mod_http_upload_external_quota` which is > a number representing bytes. > > The quota is included as a "q" parameter in the URL of the PUT request > to the > external service. > > This allows the external service to enforce quotas, either globally or > per > user. > > 2. New config options `mod_http_upload_external_include_jid_hash` and > `mod_http_upload_external_jid_hash_salt` > > The first is a boolean which makes it possible to group files per > hashed/salted JID. > The second is the salt, so that only admins can figure out the hash for > a > particular JID. > > This option makes it possible to remove all files for a particular JID > (useful > for GDPR compliance) and also enables the external service to enforce > per-user > quotas. > > I've made a Pull Request to xmpp-http-upload.py to do just that. > [2]https://github.com/horazont/xmpp-http-upload/pull/9 > > --- > > Feedback and comments welcome. If no-one objects, I'll push to the > prosody-modules repo. > > Thanks > JC > > -- > You received this message because you are subscribed to the Google > Groups "prosody-dev" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [3][email protected]. > To post to this group, send email to [4][email protected]. > Visit this group at [5]https://groups.google.com/group/prosody-dev. > For more options, visit [6]https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "prosody-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [7][email protected]. > To post to this group, send email to [8][email protected]. > Visit this group at [9]https://groups.google.com/group/prosody-dev. > For more options, visit [10]https://groups.google.com/d/optout. > > References > > Visible links > 1. mailto:[email protected] > 2. https://github.com/horazont/xmpp-http-upload/pull/9 > 3. mailto:prosody-dev%[email protected] > 4. mailto:[email protected] > 5. https://groups.google.com/group/prosody-dev > 6. https://groups.google.com/d/optout > 7. mailto:[email protected] > 8. mailto:[email protected] > 9. https://groups.google.com/group/prosody-dev > 10. https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
