0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-16 21:56:25 -05:00

add access control for web ui

This commit is contained in:
Alex Kocharin 2014-11-13 18:52:13 +03:00
parent 09485451f7
commit 1fe0cedbd0
3 changed files with 35 additions and 26 deletions

View file

@ -5,9 +5,12 @@ var marked = require('marked')
var Handlebars = require('handlebars')
var Error = require('http-errors')
var Search = require('./search')
var Middleware = require('./middleware')
module.exports = function(config, auth, storage) {
var app = express()
var can = Middleware.allow(config)
app.use(Cookies.express())
app.use(express.urlencoded())
app.use(auth.cookie_middleware())
@ -30,11 +33,15 @@ module.exports = function(config, auth, storage) {
if (err) throw err // that function shouldn't produce any
res.send(template({
name: config.web.title || 'Sinopia',
packages: packages,
packages: packages.filter(allow),
baseUrl: base,
username: req.remote_user.name,
}))
})
function allow(package) {
return config.allow_access(package.name, req.remote_user)
}
})
// Static
@ -72,8 +79,8 @@ module.exports = function(config, auth, storage) {
// Search
app.get('/-/search/:anything', function(req, res, next) {
var results = Search.query(req.params.anything),
packages = []
var results = Search.query(req.params.anything)
var packages = []
var getData = function(i) {
storage.get_package(results[i].ref, function(err, entry) {
@ -103,7 +110,7 @@ module.exports = function(config, auth, storage) {
}
})
app.get('/-/readme/:package/:version?', function(req, res, next) {
app.get('/-/readme/:package/:version?', can('access'), function(req, res, next) {
storage.get_package(req.params.package, {req: req}, function(err, info) {
if (err) return next(err)
res.send( marked(info.readme || 'ERROR: No README data found!') )

View file

@ -27,28 +27,8 @@ module.exports = function(config_hash) {
var config = Config(config_hash)
var storage = Storage(config)
var auth = Auth(config)
var can = function(action) {
return function(req, res, next) {
if (config['allow_'+action](req.params.package, req.remote_user)) {
next()
} else {
if (!req.remote_user.name) {
if (req.remote_user.error) {
var message = "can't "+action+' restricted package, ' + req.remote_user.error
} else {
var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
}
next( Error[403](message) )
} else {
next( Error[403]('user ' + req.remote_user.name
+ ' not allowed to ' + action + ' it') )
}
}
}
}
var app = express()
var app = express()
var can = Middleware.allow(config)
// run in production mode by default, just in case
// it shouldn't make any difference anyway

View file

@ -157,3 +157,25 @@ module.exports.log_and_etagify = function(req, res, next) {
next()
}
module.exports.allow = function(config) {
return function(action) {
return function(req, res, next) {
if (config['allow_'+action](req.params.package, req.remote_user)) {
next()
} else {
if (!req.remote_user.name) {
if (req.remote_user.error) {
var message = "can't "+action+' restricted package, ' + req.remote_user.error
} else {
var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
}
next( Error[403](message) )
} else {
next( Error[403]('user ' + req.remote_user.name
+ ' not allowed to ' + action + ' it') )
}
}
}
}
}