Skip to content

Commit

Permalink
Use the special '*' ID to allow any user to upload.
Browse files Browse the repository at this point in the history
This is not too bad in the gobbler context given that anyone who has access to
the shared filesystem is already somewhat trusted; it's not like we're giving
upload access to the entire internet, and admins can always hunt down abusers.
  • Loading branch information
LTLA committed Oct 16, 2024
1 parent 185ac79 commit 3380f39
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 4 deletions.
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,11 @@ The Gobbler supports three levels of permissions - adminstrators, project owners

The permissions for a project are stored in the `{project}/..permissions` file.
This is a JSON-formatted file that contains a JSON object with the following properties:
- `owners`: An array of strings containing the GitHub user names or organizations that own this project.
- `uploaders`: An array of objects specifying GitHub users or organizations that are authorized to be uploaders.
- `owners`: An array of strings containing the identities of users who own this project.
- `uploaders`: An array of objects specifying the users who are authorized to be uploaders.
Each object has the following properties:
- `id`: String containing the identity of the user/organization.
- `id`: String containing the identity of the uploading user.
This can also be `*` to allow uploads from any user.
- `asset` (optional): String containing the name of the asset that the uploader is allowed to upload to.
If not specified, no restrictions are placed on the asset name.
- `version` (optional): String containing the name of the version that the uploader is allowed to upload to.
Expand Down
3 changes: 2 additions & 1 deletion permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,8 @@ func isAuthorizedToUpload(username string, administrators []string, permissions

if permissions.Uploaders != nil {
for _, u := range permissions.Uploaders {
if u.Id != username {
// Allow the special '*' username to match to any uploader.
if u.Id != username && u.Id != "*" {
continue
}

Expand Down
13 changes: 13 additions & 0 deletions permissions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,12 @@ func TestIsAuthorizedToUpload(t *testing.T) {
if !ok || !trusted {
t.Fatalf("unexpected lack of non-probational authorization for an uploader")
}

perms.Uploaders = []uploaderEntry{ uploaderEntry{ Id: "*", Trusted: &is_trusted } }
ok, trusted = isAuthorizedToUpload("cynthia", nil, &perms, nil, nil)
if !ok || !trusted {
t.Fatalf("unexpected lack of upload authorization for *")
}
}

func TestSanitizeUploaders(t *testing.T) {
Expand All @@ -192,6 +198,13 @@ func TestSanitizeUploaders(t *testing.T) {
t.Fatalf("validation of uploaders failed for correct uploaders; %v", err)
}

id2 = "*"
uploaders[1].Id = &id2
san, err = sanitizeUploaders(uploaders)
if err != nil || len(san) != 2 || san[0].Id != id1 || san[1].Id != id2 {
t.Fatalf("validation of uploaders failed for correct uploaders with a wildcard; %v", err)
}

mock := "YAAY"
uploaders[1].Until = &mock
_, err = sanitizeUploaders(uploaders)
Expand Down

0 comments on commit 3380f39

Please sign in to comment.