feat: ability to restrict unpublish action to certain users #492

This is a PoC, it needs refactor and unit testing
2025-02-17 23:45:29 -05:00 · 2019-02-07 22:04:53 +01:00 · 2019-02-07 22:04:53 +01:00 · ef503257f3
commit ef503257f3
parent 10370c6eeb
5 changed files with 37 additions and 2 deletions
--- a/conf/default.yaml
+++ b/conf/default.yaml
@ -44,6 +44,7 @@ packages:
    # scoped packages
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs
  '**':
@ -58,6 +59,8 @@ packages:
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated
    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs
--- a/src/api/endpoint/api/publish.js
+++ b/src/api/endpoint/api/publish.js
@ -24,10 +24,10 @@ export default function publish(router: Router, auth: IAuth, storage: IStorageHa
  router.put('/:package/:_rev?/:revision?', can('publish'), media(mime.getType('json')), expectJson, publishPackage(storage, config));
  // un-publishing an entire package
-  router.delete('/:package/-rev/*', can('publish'), unPublishPackage(storage));
+  router.delete('/:package/-rev/*', can('unpublish'), can('publish'), unPublishPackage(storage));
  // removing a tarball
-  router.delete('/:package/-/:filename/-rev/:revision', can('publish'), removeTarball(storage));
+  router.delete('/:package/-/:filename/-rev/:revision', can('unpublish'), can('publish'), removeTarball(storage));
  // uploading package tarball
  router.put('/:package/-/:filename/*', can('publish'), media(HEADERS.OCTET_STREAM), uploadPackageTarball(storage));
--- a/src/lib/auth-utils.js
+++ b/src/lib/auth-utils.js
@ -72,6 +72,7 @@ export function getDefaultPlugins() {
    allow_access: allow_action('access'),
    allow_publish: allow_action('publish'),
    allow_unpublish: allow_action('unpublish'),
  };
 }
--- a/src/lib/auth.js
+++ b/src/lib/auth.js
@ -190,6 +190,35 @@ class Auth implements IAuth {
    })();
  }
  allow_unpublish({ packageName, packageVersion }: AuthPluginPackage, user: string, callback: Callback) {
    const plugins = this.plugins.slice(0);
    const self = this;
    // $FlowFixMe
    const pkg = Object.assign({ name: packageName, version: packageVersion }, getMatchedPackagesSpec(packageName, this.config.packages));
    this.logger.trace({ packageName }, 'allow unpublish for @{packageName}');
    (function next() {
      const plugin = plugins.shift();
      if (_.isFunction(plugin.allow_unpublish) === false) {
        return next();
      }
      plugin.allow_unpublish(user, pkg, (err, ok: boolean) => {
        if (err) {
          self.logger.trace({ packageName }, 'forbidden unpublish for @{packageName}');
          return callback(err);
        }
        if (ok) {
          self.logger.trace({ packageName }, 'allowed unpublish for @{packageName}');
          return callback(null, ok);
        }
        next(); // cb(null, false) causes next plugin to roll
      });
    })();
  }
  /**
   * Allow user to publish a package.
   */
--- a/src/lib/config-utils.js
+++ b/src/lib/config-utils.js
@ -123,6 +123,8 @@ export function normalisePackageAccess(packages: PackageList): PackageList {
      delete normalizedPkgs[pkg].allow_publish;
      normalizedPkgs[pkg].proxy = normalizeUserList(packages[pkg].proxy_access, packages[pkg].proxy);
      delete normalizedPkgs[pkg].proxy_access;
      // $FlowFixMe
      normalizedPkgs[pkg].unpublish = normalizeUserList([], packages[pkg].unpublish);
    }
  }