From d9accbb6a7da28e1a67206af505348ea1452d4c6 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Sun, 22 Jun 2014 18:34:51 +0400 Subject: [PATCH] better access control for search For each of the packages check if user has access to it and remove package info from the result if he doesn't. ref #65 --- lib/index.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/index.js b/lib/index.js index a9a0562f8..21d911256 100644 --- a/lib/index.js +++ b/lib/index.js @@ -171,10 +171,14 @@ module.exports = function(config_hash) { }) // searching packages - app.get('/-/all/:package?', can('access'), function(req, res, next) { + app.get('/-/all/:since?', function(req, res, next) { storage.search(req.param.startkey || 0, {req: req}, function(err, result) { if (err) return next(err) - + for (var pkg in result) { + if (!config.allow_access(pkg, req.remoteUser)) { + delete result[pkg] + } + } return res.send(result) }) })