Hello ! I have a question about hedgedoc’s security model.
Can I expect notes available to guest users (freely, editable, and locked) to not be available to someone without the link ?
I want to use hedgedoc to share infos to my friends, and I’d like the note link to act as a protection, so that only the people I share it with can access it.
Is this an explicit use-case of Hedgedoc, or are you going to add features such as “list all public notes” in the future, which would negate the randomness of the link?
Yes, that’s actually the idea behind the simple link-based system in HedgeDoc 1.x.
As HedgeDoc 1.x is currently maintenance-only, we’re not adding new features there like a public notes list. So, the links are safe unless they’re shared somewhere else on the web and get indexed by Google or someone else.
For HedgeDoc 2.0, we intend the following:
There’ll be a list of notes, that a user has access to. This means logged-in users can see all notes, they have access to.
Whether non-logged-in users (“guests”) can see the list of public notes, depends on the instance configuration.
We’ll probably add an option that the note’s owner can set on a note to make it unlisted without changing the access permissions.