add access control for web ui

2024-12-16 21:56:25 -05:00 · 2014-11-13 18:52:13 +03:00 · 2014-11-13 18:52:13 +03:00 · 1fe0cedbd0
commit 1fe0cedbd0
parent 09485451f7
3 changed files with 35 additions and 26 deletions
--- a/lib/index-web.js
+++ b/lib/index-web.js
@ -5,9 +5,12 @@ var marked     = require('marked')
 var Handlebars = require('handlebars')
 var Error      = require('http-errors')
 var Search     = require('./search')
+var Middleware = require('./middleware')

 module.exports = function(config, auth, storage) {
  var app = express()
+  var can = Middleware.allow(config)
+
  app.use(Cookies.express())
  app.use(express.urlencoded())
  app.use(auth.cookie_middleware())
@ -30,11 +33,15 @@ module.exports = function(config, auth, storage) {
      if (err) throw err // that function shouldn't produce any
      res.send(template({
        name:       config.web.title || 'Sinopia',
-        packages:   packages,
+        packages:   packages.filter(allow),
        baseUrl:    base,
        username:   req.remote_user.name,
      }))
    })
+
+    function allow(package) {
+      return config.allow_access(package.name, req.remote_user)
+    }
  })

  // Static
@ -72,8 +79,8 @@ module.exports = function(config, auth, storage) {

  // Search
  app.get('/-/search/:anything', function(req, res, next) {
-    var results = Search.query(req.params.anything),
-      packages = []
+    var results = Search.query(req.params.anything)
+    var packages = []

    var getData = function(i) {
      storage.get_package(results[i].ref, function(err, entry) {
@ -103,7 +110,7 @@ module.exports = function(config, auth, storage) {
    }
  })

-  app.get('/-/readme/:package/:version?', function(req, res, next) {
+  app.get('/-/readme/:package/:version?', can('access'), function(req, res, next) {
    storage.get_package(req.params.package, {req: req}, function(err, info) {
      if (err) return next(err)
      res.send( marked(info.readme || 'ERROR: No README data found!') )
--- a/lib/index.js
+++ b/lib/index.js
@ -27,28 +27,8 @@ module.exports = function(config_hash) {
  var config  = Config(config_hash)
  var storage = Storage(config)
  var auth    = Auth(config)
-
-  var can = function(action) {
-    return function(req, res, next) {
-      if (config['allow_'+action](req.params.package, req.remote_user)) {
-        next()
-      } else {
-        if (!req.remote_user.name) {
-          if (req.remote_user.error) {
-            var message = "can't "+action+' restricted package, ' + req.remote_user.error
-          } else {
-            var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
-          }
-          next( Error[403](message) )
-        } else {
-          next( Error[403]('user ' + req.remote_user.name
-                        + ' not allowed to ' + action + ' it') )
-        }
-      }
-    }
-  }
-
  var app     = express()
+  var can     = Middleware.allow(config)

  // run in production mode by default, just in case
  // it shouldn't make any difference anyway
--- a/lib/middleware.js
+++ b/lib/middleware.js
@ -157,3 +157,25 @@ module.exports.log_and_etagify = function(req, res, next) {
  next()
 }

+module.exports.allow = function(config) {
+  return function(action) {
+    return function(req, res, next) {
+      if (config['allow_'+action](req.params.package, req.remote_user)) {
+        next()
+      } else {
+        if (!req.remote_user.name) {
+          if (req.remote_user.error) {
+            var message = "can't "+action+' restricted package, ' + req.remote_user.error
+          } else {
+            var message = "can't "+action+" restricted package without auth, did you forget 'npm set always-auth true'?"
+          }
+          next( Error[403](message) )
+        } else {
+          next( Error[403]('user ' + req.remote_user.name
+                        + ' not allowed to ' + action + ' it') )
+        }
+      }
+    }
+  }
+}
+