Allow custom public share tokens for form links#3311
Open
alexander-rebello wants to merge 8 commits intonextcloud:mainfrom
Open
Allow custom public share tokens for form links#3311alexander-rebello wants to merge 8 commits intonextcloud:mainfrom
alexander-rebello wants to merge 8 commits intonextcloud:mainfrom
Conversation
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Chartman123
previously approved these changes
Apr 24, 2026
Collaborator
Chartman123
left a comment
Chartman123
left a comment
There was a problem hiding this comment.
Added some review comments on the PHP part
Comment on lines
+656
to
+679
| ### Update a Public Share Token | ||
|
|
||
| - Endpoint: `/api/v3/forms/{formId}/shares/{shareId}/token` | ||
| - Method: `PATCH` | ||
| - Url-Parameters: | ||
| | Parameter | Type | Description | | ||
| |-----------|---------|-------------| | ||
| | _formId_ | Integer | ID of the form containing the share | | ||
| | _shareId_ | Integer | ID of the public link share to update | | ||
| - Parameters: | ||
| | Parameter | Type | Description | | ||
| |-----------|---------|-------------| | ||
| | _token_ | String | New token for the public share link | | ||
| - Restrictions: | ||
| - Only available when the admin setting _allowCustomPublicShareTokens_ is enabled. | ||
| - Only link shares can be updated. | ||
| - Token must be unique among link shares and only contain alphanumeric characters. | ||
| - Token length must be between 8 and 256 characters. | ||
| - Response: **Status-Code OK**, as well as the id of the updated share. | ||
|
|
||
| ``` | ||
| "data": 5 | ||
| ``` | ||
|
|
Collaborator
There was a problem hiding this comment.
I wouldn't add a new endpoint for that, please use the already existing update share endpoint
| #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] | ||
| class PageController extends Controller { | ||
| private const TEMPLATE_MAIN = 'main'; | ||
| private const PUBLIC_SHARE_HASH_REQUIREMENT = '[a-zA-Z0-9]{8,256}'; |
Collaborator
There was a problem hiding this comment.
Could this be moved to our central Constants.php file?
| #[NoCSRFRequired()] | ||
| #[PublicPage()] | ||
| #[FrontpageRoute(verb: 'GET', url: '/s/{hash}', requirements: ['hash' => '[a-zA-Z0-9]{24,}'])] | ||
| #[FrontpageRoute(verb: 'GET', url: '/s/{hash}', requirements: ['hash' => self::PUBLIC_SHARE_HASH_REQUIREMENT])] |
Collaborator
There was a problem hiding this comment.
Would probably be good if we can decide here wether custom share tokens are allowed on that instance. But IIRC it's not working with dynamically defined requirements.
Author
There was a problem hiding this comment.
Meaning it would be good, but can't be done in this instance? Or should I try?
| #[CORS()] | ||
| #[NoAdminRequired()] | ||
| #[ApiRoute(verb: 'PATCH', url: '/api/v3/forms/{formId}/shares/{shareId}/token')] | ||
| public function updateShareToken(int $formId, int $shareId, string $token): DataResponse { |
Collaborator
There was a problem hiding this comment.
See other comment... Should be moved to already existing endpoint
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Signed-off-by: Alexander Rebello <me@alexander-rebello.de>
Chartman123
added
enhancement
Chartman123
dismissed
their stale review
Accidentally approved the PR instead of just adding the review comments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds admin-gated custom tokens for public Forms share links. By default the feature is disabled, so existing instances keep the current random-token behavior. When enabled by an admin, form owners can edit the token of an existing public link directly in the sharing sidebar, save it explicitly, and the old URL becomes invalid immediately.
It also adds the necessary backend support for token updates, keeps public-link routing compatible with custom tokens, and includes tests plus API documentation updates.