mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-16 21:56:25 -05:00
add access control for web ui
This commit is contained in:
parent
09485451f7
commit
1fe0cedbd0
3 changed files with 35 additions and 26 deletions
|
@ -5,9 +5,12 @@ var marked = require('marked')
|
||||||
var Handlebars = require('handlebars')
|
var Handlebars = require('handlebars')
|
||||||
var Error = require('http-errors')
|
var Error = require('http-errors')
|
||||||
var Search = require('./search')
|
var Search = require('./search')
|
||||||
|
var Middleware = require('./middleware')
|
||||||
|
|
||||||
module.exports = function(config, auth, storage) {
|
module.exports = function(config, auth, storage) {
|
||||||
var app = express()
|
var app = express()
|
||||||
|
var can = Middleware.allow(config)
|
||||||
|
|
||||||
app.use(Cookies.express())
|
app.use(Cookies.express())
|
||||||
app.use(express.urlencoded())
|
app.use(express.urlencoded())
|
||||||
app.use(auth.cookie_middleware())
|
app.use(auth.cookie_middleware())
|
||||||
|
@ -30,11 +33,15 @@ module.exports = function(config, auth, storage) {
|
||||||
if (err) throw err // that function shouldn't produce any
|
if (err) throw err // that function shouldn't produce any
|
||||||
res.send(template({
|
res.send(template({
|
||||||
name: config.web.title || 'Sinopia',
|
name: config.web.title || 'Sinopia',
|
||||||
packages: packages,
|
packages: packages.filter(allow),
|
||||||
baseUrl: base,
|
baseUrl: base,
|
||||||
username: req.remote_user.name,
|
username: req.remote_user.name,
|
||||||
}))
|
}))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
function allow(package) {
|
||||||
|
return config.allow_access(package.name, req.remote_user)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
// Static
|
// Static
|
||||||
|
@ -72,8 +79,8 @@ module.exports = function(config, auth, storage) {
|
||||||
|
|
||||||
// Search
|
// Search
|
||||||
app.get('/-/search/:anything', function(req, res, next) {
|
app.get('/-/search/:anything', function(req, res, next) {
|
||||||
var results = Search.query(req.params.anything),
|
var results = Search.query(req.params.anything)
|
||||||
packages = []
|
var packages = []
|
||||||
|
|
||||||
var getData = function(i) {
|
var getData = function(i) {
|
||||||
storage.get_package(results[i].ref, function(err, entry) {
|
storage.get_package(results[i].ref, function(err, entry) {
|
||||||
|
@ -103,7 +110,7 @@ module.exports = function(config, auth, storage) {
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
app.get('/-/readme/:package/:version?', function(req, res, next) {
|
app.get('/-/readme/:package/:version?', can('access'), function(req, res, next) {
|
||||||
storage.get_package(req.params.package, {req: req}, function(err, info) {
|
storage.get_package(req.params.package, {req: req}, function(err, info) {
|
||||||
if (err) return next(err)
|
if (err) return next(err)
|
||||||
res.send( marked(info.readme || 'ERROR: No README data found!') )
|
res.send( marked(info.readme || 'ERROR: No README data found!') )
|
||||||
|
|
24
lib/index.js
24
lib/index.js
|
@ -27,28 +27,8 @@ module.exports = function(config_hash) {
|
||||||
var config = Config(config_hash)
|
var config = Config(config_hash)
|
||||||
var storage = Storage(config)
|
var storage = Storage(config)
|
||||||
var auth = Auth(config)
|
var auth = Auth(config)
|
||||||
|
var app = express()
|
||||||
var can = function(action) {
|
var can = Middleware.allow(config)
|
||||||
return function(req, res, next) {
|
|
||||||
if (config['allow_'+action](req.params.package, req.remote_user)) {
|
|
||||||
next()
|
|
||||||
} else {
|
|
||||||
if (!req.remote_user.name) {
|
|
||||||
if (req.remote_user.error) {
|
|
||||||
var message = "can't "+action+' restricted package, ' + req.remote_user.error
|
|
||||||
} else {
|
|
||||||
var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
|
|
||||||
}
|
|
||||||
next( Error[403](message) )
|
|
||||||
} else {
|
|
||||||
next( Error[403]('user ' + req.remote_user.name
|
|
||||||
+ ' not allowed to ' + action + ' it') )
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var app = express()
|
|
||||||
|
|
||||||
// run in production mode by default, just in case
|
// run in production mode by default, just in case
|
||||||
// it shouldn't make any difference anyway
|
// it shouldn't make any difference anyway
|
||||||
|
|
|
@ -157,3 +157,25 @@ module.exports.log_and_etagify = function(req, res, next) {
|
||||||
next()
|
next()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module.exports.allow = function(config) {
|
||||||
|
return function(action) {
|
||||||
|
return function(req, res, next) {
|
||||||
|
if (config['allow_'+action](req.params.package, req.remote_user)) {
|
||||||
|
next()
|
||||||
|
} else {
|
||||||
|
if (!req.remote_user.name) {
|
||||||
|
if (req.remote_user.error) {
|
||||||
|
var message = "can't "+action+' restricted package, ' + req.remote_user.error
|
||||||
|
} else {
|
||||||
|
var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
|
||||||
|
}
|
||||||
|
next( Error[403](message) )
|
||||||
|
} else {
|
||||||
|
next( Error[403]('user ' + req.remote_user.name
|
||||||
|
+ ' not allowed to ' + action + ' it') )
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue