Onlyoffice Version: 8.3
OnlyOffice plugins are synchronized across all customers in a shared OnlyOffice environment, including their configurations. This means that any authorized user could potentially install arbitrary, malicious plugins that might leak confidential data or steal sensitive configurations.
If we use an LLM and want to make our configuration available to all users, how can we ensure that an arbitrary user cannot modify or delete our configuration?
Hello @ipdoc1
With latest version of Document Server and IP plugin you can define default models for the tasks from info page. Please let me know your installation type of Document Server so that I could provide proper instruction on how to enable it.
Docker image onlyoffice/documentserver:8.3
Please update your Document Server to the actual version first. Then, to enable Info Page, please refer to this guide:
docker ps;docker exec -it <ID> bash;nano /etc/onlyoffice/documentserver/nginx/includes/ds-docservice.conf to edit necessary config;# Allow "/info" interface only from 127.0.0.1 by default
# Comment out lines allow 127.0.0.1; and deny all;
# of below section to turn on the info page
location ~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\w]+)?\/(info)(\/.*)$ {
allow 127.0.0.1; # Change with proper IP
deny all;
proxy_pass http://docservice/$2$3;
}
If you comment out both
allowanddeny alllines, then this page will become publicly available, which is not recommended.
service nginx reload to apply this change.https://documentserver/info to access Info Page and configure default models for all Document Server users.That way you can add necessary AI models for the plugin globally. Users won’t be able to change them or access sensitive information, such as keys.