From 1fe0cedbd07dcd2db7e5fe07b07c483dcc666f1b Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Thu, 13 Nov 2014 18:52:13 +0300 Subject: [PATCH] add access control for web ui --- lib/index-web.js | 15 +++++++++++---- lib/index.js | 24 ++---------------------- lib/middleware.js | 22 ++++++++++++++++++++++ 3 files changed, 35 insertions(+), 26 deletions(-) diff --git a/lib/index-web.js b/lib/index-web.js index 9e1dfbfc1..c3df354e2 100644 --- a/lib/index-web.js +++ b/lib/index-web.js @@ -5,9 +5,12 @@ var marked = require('marked') var Handlebars = require('handlebars') var Error = require('http-errors') var Search = require('./search') +var Middleware = require('./middleware') module.exports = function(config, auth, storage) { var app = express() + var can = Middleware.allow(config) + app.use(Cookies.express()) app.use(express.urlencoded()) app.use(auth.cookie_middleware()) @@ -30,11 +33,15 @@ module.exports = function(config, auth, storage) { if (err) throw err // that function shouldn't produce any res.send(template({ name: config.web.title || 'Sinopia', - packages: packages, + packages: packages.filter(allow), baseUrl: base, username: req.remote_user.name, })) }) + + function allow(package) { + return config.allow_access(package.name, req.remote_user) + } }) // Static @@ -72,8 +79,8 @@ module.exports = function(config, auth, storage) { // Search app.get('/-/search/:anything', function(req, res, next) { - var results = Search.query(req.params.anything), - packages = [] + var results = Search.query(req.params.anything) + var packages = [] var getData = function(i) { storage.get_package(results[i].ref, function(err, entry) { @@ -103,7 +110,7 @@ module.exports = function(config, auth, storage) { } }) - app.get('/-/readme/:package/:version?', function(req, res, next) { + app.get('/-/readme/:package/:version?', can('access'), function(req, res, next) { storage.get_package(req.params.package, {req: req}, function(err, info) { if (err) return next(err) res.send( marked(info.readme || 'ERROR: No README data found!') ) diff --git a/lib/index.js b/lib/index.js index 0e9a58b05..bcc3ad45e 100644 --- a/lib/index.js +++ b/lib/index.js @@ -27,28 +27,8 @@ module.exports = function(config_hash) { var config = Config(config_hash) var storage = Storage(config) var auth = Auth(config) - - var can = function(action) { - return function(req, res, next) { - if (config['allow_'+action](req.params.package, req.remote_user)) { - next() - } else { - if (!req.remote_user.name) { - if (req.remote_user.error) { - var message = "can't "+action+' restricted package, ' + req.remote_user.error - } else { - var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?" - } - next( Error[403](message) ) - } else { - next( Error[403]('user ' + req.remote_user.name - + ' not allowed to ' + action + ' it') ) - } - } - } - } - - var app = express() + var app = express() + var can = Middleware.allow(config) // run in production mode by default, just in case // it shouldn't make any difference anyway diff --git a/lib/middleware.js b/lib/middleware.js index 79e2b5bae..ca51eec47 100644 --- a/lib/middleware.js +++ b/lib/middleware.js @@ -157,3 +157,25 @@ module.exports.log_and_etagify = function(req, res, next) { next() } +module.exports.allow = function(config) { + return function(action) { + return function(req, res, next) { + if (config['allow_'+action](req.params.package, req.remote_user)) { + next() + } else { + if (!req.remote_user.name) { + if (req.remote_user.error) { + var message = "can't "+action+' restricted package, ' + req.remote_user.error + } else { + var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?" + } + next( Error[403](message) ) + } else { + next( Error[403]('user ' + req.remote_user.name + + ' not allowed to ' + action + ' it') ) + } + } + } + } +} +