Bug 125735 - Limit access to Action_RemoveView
Summary: Limit access to Action_RemoveView
Status: NEW
Alias: None
Product: LibreOffice Online
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-06 10:01 UTC by Julius Härtl
Modified: 2019-06-07 21:52 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julius Härtl 2019-06-06 10:01:23 UTC 
The Action_RemoveView post message is currently available for all sessions. I think it would make sense to enforce possible access limitations to sessions, so that e.g. guest users / read only users cannot remove others from the editing document.

I could not find anything related in the WOPI specs, so I would propose
we add a custom entry to the CheckFileInfo:

UserCanModerate:
    A Boolean value that indicates that the user has permission to
remove other users from the editing session
Comment 1 Aron Budea 2019-06-07 21:52:25 UTC 
This has been discussed, thanks for filing it, Julius!