add access control for web ui

lib/index-web.js

@@ -5,9 +5,12 @@ var marked     = require('marked')
 var Handlebars = require('handlebars')
 var Error      = require('http-errors')
 var Search     = require('./search')
+var Middleware = require('./middleware')
 
 module.exports = function(config, auth, storage) {
   var app = express()
+  var can = Middleware.allow(config)
+
   app.use(Cookies.express())
   app.use(express.urlencoded())
   app.use(auth.cookie_middleware())
@@ -30,11 +33,15 @@ module.exports = function(config, auth, storage) {
       if (err) throw err // that function shouldn't produce any
       res.send(template({
         name:       config.web.title || 'Sinopia',
-        packages:   packages,
+        packages:   packages.filter(allow),
         baseUrl:    base,
         username:   req.remote_user.name,
       }))
     })
+
+    function allow(package) {
+      return config.allow_access(package.name, req.remote_user)
+    }
   })
 
   // Static
@@ -72,8 +79,8 @@ module.exports = function(config, auth, storage) {
 
   // Search
   app.get('/-/search/:anything', function(req, res, next) {
-    var results = Search.query(req.params.anything),
+    var results = Search.query(req.params.anything)
-      packages = []
+    var packages = []
 
     var getData = function(i) {
       storage.get_package(results[i].ref, function(err, entry) {
@@ -103,7 +110,7 @@ module.exports = function(config, auth, storage) {
     }
   })
 
-  app.get('/-/readme/:package/:version?', function(req, res, next) {
+  app.get('/-/readme/:package/:version?', can('access'), function(req, res, next) {
     storage.get_package(req.params.package, {req: req}, function(err, info) {
       if (err) return next(err)
       res.send( marked(info.readme || 'ERROR: No README data found!') )

lib/index.js

@@ -27,28 +27,8 @@ module.exports = function(config_hash) {
   var config  = Config(config_hash)
   var storage = Storage(config)
   var auth    = Auth(config)
-
-  var can = function(action) {
-    return function(req, res, next) {
-      if (config['allow_'+action](req.params.package, req.remote_user)) {
-        next()
-      } else {
-        if (!req.remote_user.name) {
-          if (req.remote_user.error) {
-            var message = "can't "+action+' restricted package, ' + req.remote_user.error
-          } else {
-            var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
-          }
-          next( Error[403](message) )
-        } else {
-          next( Error[403]('user ' + req.remote_user.name
-                        + ' not allowed to ' + action + ' it') )
-        }
-      }
-    }
-  }
-
   var app     = express()
+  var can     = Middleware.allow(config)
 
   // run in production mode by default, just in case
   // it shouldn't make any difference anyway

lib/middleware.js

@@ -157,3 +157,25 @@ module.exports.log_and_etagify = function(req, res, next) {
   next()
 }
 
+module.exports.allow = function(config) {
+  return function(action) {
+    return function(req, res, next) {
+      if (config['allow_'+action](req.params.package, req.remote_user)) {
+        next()
+      } else {
+        if (!req.remote_user.name) {
+          if (req.remote_user.error) {
+            var message = "can't "+action+' restricted package, ' + req.remote_user.error
+          } else {
+            var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
+          }
+          next( Error[403](message) )
+        } else {
+          next( Error[403]('user ' + req.remote_user.name
+                        + ' not allowed to ' + action + ' it') )
+        }
+      }
+    }
+  }
+}
+