Unable to access Pasted Images in Shared Document

Johnny_Knox · October 5, 2018, 9:49pm

Steps to reproduce

Bot me and the other user is a Pro User of Dynalist. We have a shared file. I am Owner they are manager level access. If I paste a photo into the document I can see, but they cannot. If they paste a photo into the document they have access, but I cannot see.

Expected result

Ability to see shared photo since it is a shared document.

Actual result

When I hover image I get a message that says, “Aw Snap! This image failed to load” If I click on the link I’m taken to a page that says, “Access Denied You are not allowed to access this file”

Environment

Dynalist app on OSX

Additional information

Thao · October 5, 2018, 10:17am

This is a common issue with file sharing, @Johnny_Knox

You can read more about it from Is my data private?

To make image uploads visible to people whom you’ve shared with, simply check this box under [Dynalist Pro] in your settings:

The reason this option was implemented (and left unchecked by default) is that some people might not appreciate images appearing unsolicited. You can read more about this in our blog!

Johnny_Knox · October 9, 2018, 7:43am

@Thao Both myself and the other contributor have the button to Allow other to access via link checked yet we still are having the same problem. Any other steps I can take?

In the blog article you mentioned the settings page looks different and I’m assuming this is because it is an older UI.

However in the subtest it says, “this will only apply to new images, not past.” Is there a way I can change old images to make them public?

Thao · October 9, 2018, 10:20pm

Are you able to view new image uploads, though? After checking that box, will new images load for you and people you shared with?

Erica · October 11, 2018, 5:33am

Sorry you can’t. But after changing this option it won’t be an issue in the future.

Louis_Kirsch · January 18, 2019, 8:50am

I think it would be good if this option was turned on automatically for shared documents.

Jason_Ables · February 21, 2019, 12:03am

@Erica When you select “Allow others to access via link”, does that mean all future uploads across all documents will be shared, or just the documents that you’ve shared as public documents?

In other words, I’m hoping it’s not an all-or-nothing approach, as I would like to keep the majority of my uploads private if the document they are in is private, but the uploaded files should be public if the document they are in is public.

Would it be possible to add in a feature eventually that would allow us to convert all previously uploaded files in a public document to be public as well? I made several how-to guides for my team and then shared them, only to find out no one could see the images.

Thank you for making such a wonderful product! Dynalist is amazing!

Kerim · February 21, 2019, 4:38am

I had no idea this was possible. I was going to abandon trying to use Dynalist for shared documents because I thought the reason it wasn’t working was that everyone sharing a document had to have a pro membership. Turns out it was just a setting! I won’t argue with the decision to turn this off by default, but if you are going to stick with this decision you need to make it much clearer to users what is going on. Moreover, not having it work on existing uploads means that someone could easily spend an hour or two preparing an outline for sharing, with multiple attachments, and then when it doesn’t work and they end up here looking for a solution (assuming that unlike me they don’t just assume it isn’t possible)… only to find out they have to re-upload all their attachments! Surely there is a better way to handle this?

Kevin_Woo · November 23, 2020, 5:03am

@Erica, It would be great if Dynalist could let shared users view files as well.

It shouldn’t be too bad for the server to determine if the authenticated user has access to the files (this is the implicate case since the user shared the document), then return the 307 to the s3 signed s3 bucket path, like how it does for original owner of the file.

The file request header/payload already includes:

the file id
the shared user’s auth token/cookie
the referer (which doc is currently being viewed)

This should be enough information to allow access to the dynalist file within the document.

I don’t know anything about how Dynalist is built, but just as a thought experiment… The browser makes a request for GET https://dynalist.io/u/random_file_id from a shared doc. The server url handler would prob need to be changed to something like: (I’m prob some missing edge cases)

request.handle("/u/{fileID}", handler(request) {
  user = request.user

  fileID = request.getFileId()
  file = db.getFileByID(fileID)
  
  documentID = request.headers.referer.getDocumentID()
  document = db.getDocumentByID(documentID)
  
  // document.sharedUser = [ownerID, sharedUserID1, sharedUserID2, etc]

  if (file.isPublic || file.user = user) {
    return 307, file.getSignedS3Path()    
  } 

  if (user in document.sharedUsers && file.owner in document.sharedUsers) {
    return 307, file.getSignedS3Path()
  }

  return 401, "unauthorized"
});

Shida · January 3, 2021, 3:38am

Sorry for replying late here.

It’s a bit more complicated than that - Since file uploads don’t “belong” to a document, the best thing we can do is to check like what you did. The problem with this approach is that if you ever shared a public document, that can be used to view all your uploads (in theory).

In practice, since it’s highly unlikely anyone can stumble on your file ID, it shouldn’t be too much of a concern to just allow public access.