permissins (per instance)

2026-04-19 22:26:01 +00:00 · 2020-12-10 11:54:28 +01:00
parent 698756b9d2
commit f993e82b0b
15 changed files with 114 additions and 29 deletions
--- a/packages/api/src/controllers/config.js
+++ b/packages/api/src/controllers/config.js
@@ -11,17 +11,21 @@ module.exports = {
        }))
      : null;
    const startupPages = process.env.STARTUP_PAGES ? process.env.STARTUP_PAGES.split(',') : [];
+    const permissions = process.env.PERMISSIONS ? process.env.PERMISSIONS.split(',') : null;
+    const singleDatabase =
+      process.env.SINGLE_CONNECTION && process.env.SINGLE_DATABASE
+        ? {
+            conid: process.env.SINGLE_CONNECTION,
+            database: process.env.SINGLE_DATABASE,
+          }
+        : null;
+
    return {
      runAsPortal: !!process.env.CONNECTIONS,
      toolbar,
      startupPages,
-      singleDatabase:
-        process.env.SINGLE_CONNECTION && process.env.SINGLE_DATABASE
-          ? {
-              conid: process.env.SINGLE_CONNECTION,
-              database: process.env.SINGLE_DATABASE,
-            }
-          : null,
+      singleDatabase,
+      permissions,
    };
  },
 };
--- a/packages/api/src/controllers/files.js
+++ b/packages/api/src/controllers/files.js
@@ -1,6 +1,7 @@
 const fs = require('fs-extra');
 const path = require('path');
 const { filesdir } = require('../utility/directories');
+const hasPermission = require('../utility/hasPermission');
 const socket = require('../utility/socket');
 const scheduler = require('./scheduler');

@@ -19,6 +20,7 @@ function deserialize(format, text) {
 module.exports = {
  list_meta: 'get',
  async list({ folder }) {
+    if (!hasPermission(`files/${folder}/read`)) return [];
    const dir = path.join(filesdir(), folder);
    if (!(await fs.exists(dir))) return [];
    const files = (await fs.readdir(dir)).map((file) => ({ folder, file }));
@@ -27,24 +29,28 @@ module.exports = {

  delete_meta: 'post',
  async delete({ folder, file }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    await fs.unlink(path.join(filesdir(), folder, file));
    socket.emitChanged(`files-changed-${folder}`);
  },

  rename_meta: 'post',
  async rename({ folder, file, newFile }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    await fs.rename(path.join(filesdir(), folder, file), path.join(filesdir(), folder, newFile));
    socket.emitChanged(`files-changed-${folder}`);
  },

  load_meta: 'post',
  async load({ folder, file, format }) {
+    if (!hasPermission(`files/${folder}/read`)) return null;
    const text = await fs.readFile(path.join(filesdir(), folder, file), { encoding: 'utf-8' });
    return deserialize(format, text);
  },

  save_meta: 'post',
  async save({ folder, file, data, format }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    const dir = path.join(filesdir(), folder);
    if (!(await fs.exists(dir))) {
      await fs.mkdir(dir);
--- a/packages/api/src/controllers/plugins.js
+++ b/packages/api/src/controllers/plugins.js
@@ -5,6 +5,7 @@ const { pluginsdir, datadir } = require('../utility/directories');
 const socket = require('../utility/socket');
 const requirePlugin = require('../shell/requirePlugin');
 const downloadPackage = require('../utility/downloadPackage');
+const hasPermission = require('../utility/hasPermission');

 // async function loadPackageInfo(dir) {
 //   const readmeFile = path.join(dir, 'README.md');
@@ -106,6 +107,7 @@ module.exports = {

  install_meta: 'post',
  async install({ packageName }) {
+    if (!hasPermission(`plugins/install`)) return;
    const dir = path.join(pluginsdir(), packageName);
    if (!(await fs.exists(dir))) {
      await downloadPackage(packageName, dir);
@@ -115,6 +117,7 @@ module.exports = {

  uninstall_meta: 'post',
  async uninstall({ packageName }) {
+    if (!hasPermission(`plugins/install`)) return;
    const dir = path.join(pluginsdir(), packageName);
    await fs.rmdir(dir, { recursive: true });
    socket.emitChanged(`installed-plugins-changed`);
--- a/packages/api/src/controllers/scheduler.js
+++ b/packages/api/src/controllers/scheduler.js
@@ -3,6 +3,7 @@ const fs = require('fs-extra');
 const path = require('path');
 const cron = require('node-cron');
 const runners = require('./runners');
+const hasPermission = require('../utility/hasPermission');

 const scheduleRegex = /\s*\/\/\s*@schedule\s+([^\n]+)\n/;

@@ -26,6 +27,7 @@ module.exports = {
  },

  async reload() {
+    if (!hasPermission('files/shell/read')) return;
    const shellDir = path.join(filesdir(), 'shell');
    await this.unload();
    if (!(await fs.exists(shellDir))) return;
--- a/packages/api/src/utility/hasPermission.js
+++ b/packages/api/src/utility/hasPermission.js
@@ -0,0 +1,12 @@
+const { compilePermissions, testPermission } = require('dbgate-tools');
+
+let compiled = undefined;
+
+function hasPermission(tested) {
+  if (compiled === undefined) {
+    compiled = compilePermissions(process.env.PERMISSIONS);
+  }
+  return testPermission(tested, compiled);
+}
+
+module.exports = hasPermission;