Private Content-Server Libraries in Public Environment

ConnorMac · 03-30-2020, 07:53 PM

First time poster and Originally Signed up to this forum to discuss the issues I was having trying to get the Development Environment to work under FreeBSD, but that's slightly irrelevant as I found a workaround to implement the code changes into my live system without having to use the downloaded source.

Anyway I digress, I set out with the aim of transferring all my eBooks and comics into a fresh server for the use of any guests visiting or staying at my property - without the need for a username login to access. However some of the works in my collection are of an adult nature and while I'd still like them to be available, they shouldn't be obviously accessible from the content manager homepage.

My solution was a second a library with the keyword "Private" in the name.
this was combined with the following coding changes.
./calibre/srv/legacy.py Line 129

select.append(E.option(library_name, value=library_id))

to

if not "Private" in library_name: select.append(E.option(library_name, value=library_id))

./calibre/srv/odps.py line 300

self.root.append(E.entry(

to

if not "Private" in library_name: self.root.append(E.entry(

and

/pyj/book_list/home.pyj added line at 256

if "Private" in library_name: cl.lastChild.style.visibility = 'hidden'

For Both /mobile and /opds the block can be bypassed by using a direct hard link to/opds?library_id=Private-Library-name /mobile?library_id=Private-Library-name (or whatever the library is called)
for the default ajax site the button can be unhidden using javascript (or most modern browser's resource inspector) or it can likewise be accessed through a direct hard link to /#library_id=Private-Library-name
I can make these links available on a case by case basis without risk of them being found accidentally.

I thought it worth raising here, to see if such a change would be worth committing to the code (beyond my own specific circumstance) or whether it would have unintended ramifications that would affect others?

kovidgoyal · 03-31-2020, 12:20 AM

I'm afraid I'm not interested in implementing "hiding" features. They are trivially bypassed by anyone with a little knowledge of how the server works. There is a robust mechanism for access control based on user accounts, that cannot (barring bugs) be bypassed.

ConnorMac · 03-31-2020, 02:49 PM

And that of course is an option that will work for some people, though googling to see whether this sort of solution existed threw up more than a few requests along these lines to deter casual browsing (particularly deterring pre-adolescents who are unlikely to bypass it in my case) rather than the creation and sharing of usernames and passwords to guests.

If any users wished to make such a change to their live system in my install
opds.py and legacy.py can be found at /usr/local/lib/calibre/calibre/srv

while home.pyj compiles into
/usr/local/share/calibre/content-server/index-generated.html
Where the code is now Javascript and should be implemented around line 32007 (linecount for slightly older build) it should sit before the line cl.lastChild.style.margin = "1ex 1rem";

and should be inserted as

if (library_name.includes("Private")) cl.lastChild.style.visibility = "hidden"

nonlinear.nyc · 06-23-2020, 08:51 AM

I think we should keep in mind ConnorMac's threat model... It's a light hide, frankly just not showing it by default to people on his own network.

I like the idea, and i'd like to learn how to set up this "ether" library.

03-30-2020, 07:53 PM	#1
ConnorMac Junior Member Posts: 2 Karma: 10 Join Date: Mar 2020 Device: FBReader on Android	Private Content-Server Libraries in Public Environment First time poster and Originally Signed up to this forum to discuss the issues I was having trying to get the Development Environment to work under FreeBSD, but that's slightly irrelevant as I found a workaround to implement the code changes into my live system without having to use the downloaded source. Anyway I digress, I set out with the aim of transferring all my eBooks and comics into a fresh server for the use of any guests visiting or staying at my property - without the need for a username login to access. However some of the works in my collection are of an adult nature and while I'd still like them to be available, they shouldn't be obviously accessible from the content manager homepage. My solution was a second a library with the keyword "Private" in the name. this was combined with the following coding changes. ./calibre/srv/legacy.py Line 129 select.append(E.option(library_name, value=library_id)) to if not "Private" in library_name: select.append(E.option(library_name, value=library_id)) ./calibre/srv/odps.py line 300 self.root.append(E.entry( to if not "Private" in library_name: self.root.append(E.entry( and /pyj/book_list/home.pyj added line at 256 if "Private" in library_name: cl.lastChild.style.visibility = 'hidden' For Both /mobile and /opds the block can be bypassed by using a direct hard link to/opds?library_id=Private-Library-name /mobile?library_id=Private-Library-name (or whatever the library is called) for the default ajax site the button can be unhidden using javascript (or most modern browser's resource inspector) or it can likewise be accessed through a direct hard link to /#library_id=Private-Library-name I can make these links available on a case by case basis without risk of them being found accidentally. I thought it worth raising here, to see if such a change would be worth committing to the code (beyond my own specific circumstance) or whether it would have unintended ramifications that would affect others?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Content Server and Virtual Libraries	Sirtel	Calibre	2	07-21-2017 10:35 AM
Content-Server: Preview/Public link	josh.p.23	Calibre	12	05-24-2016 10:10 PM
Virtual Libraries not displayed by Content Server	paul55391	Library Management	1	04-04-2016 11:27 AM
Content Server Multiple Libraries with different views?	jamng	Calibre	18	09-27-2011 08:28 AM
multiple libraries in the content server?	ottovdv	Calibre	1	03-27-2011 05:52 PM

03-31-2020, 12:20 AM	#2
kovidgoyal creator of calibre Posts: 43,842 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	I'm afraid I'm not interested in implementing "hiding" features. They are trivially bypassed by anyone with a little knowledge of how the server works. There is a robust mechanism for access control based on user accounts, that cannot (barring bugs) be bypassed.

03-31-2020, 02:49 PM	#3
ConnorMac Junior Member Posts: 2 Karma: 10 Join Date: Mar 2020 Device: FBReader on Android	And that of course is an option that will work for some people, though googling to see whether this sort of solution existed threw up more than a few requests along these lines to deter casual browsing (particularly deterring pre-adolescents who are unlikely to bypass it in my case) rather than the creation and sharing of usernames and passwords to guests. If any users wished to make such a change to their live system in my install opds.py and legacy.py can be found at /usr/local/lib/calibre/calibre/srv while home.pyj compiles into /usr/local/share/calibre/content-server/index-generated.html Where the code is now Javascript and should be implemented around line 32007 (linecount for slightly older build) it should sit before the line cl.lastChild.style.margin = "1ex 1rem"; and should be inserted as if (library_name.includes("Private")) cl.lastChild.style.visibility = "hidden"

06-23-2020, 08:51 AM	#4
nonlinear.nyc Junior Member Posts: 3 Karma: 10 Join Date: Jun 2020 Device: iPad	I think we should keep in mind ConnorMac's threat model... It's a light hide, frankly just not showing it by default to people on his own network. I like the idea, and i'd like to learn how to set up this "ether" library.