@Erica, It would be great if Dynalist could let shared users view files as well.
It shouldnât be too bad for the server to determine if the authenticated user has access to the files (this is the implicate case since the user shared the document), then return the 307
to the s3 signed s3 bucket path, like how it does for original owner of the file.
The file request header/payload already includes:
- the file id
- the shared userâs auth token/cookie
- the referer (which doc is currently being viewed)
This should be enough information to allow access to the dynalist file within the document.
I donât know anything about how Dynalist is built, but just as a thought experiment⌠The browser makes a request for GET https://dynalist.io/u/random_file_id
from a shared doc. The server url handler would prob need to be changed to something like: (Iâm prob some missing edge cases)
request.handle("/u/{fileID}", handler(request) {
user = request.user
fileID = request.getFileId()
file = db.getFileByID(fileID)
documentID = request.headers.referer.getDocumentID()
document = db.getDocumentByID(documentID)
// document.sharedUser = [ownerID, sharedUserID1, sharedUserID2, etc]
if (file.isPublic || file.user = user) {
return 307, file.getSignedS3Path()
}
if (user in document.sharedUsers && file.owner in document.sharedUsers) {
return 307, file.getSignedS3Path()
}
return 401, "unauthorized"
});