restrict uploads to authenticated users

pull/1/head
ansuz 8 years ago
parent f329726fa4
commit 3ad99be1ef

1
.gitignore vendored

@ -13,3 +13,4 @@ data
npm-debug.log npm-debug.log
pins/ pins/
blob/ blob/
privileged.conf

@ -180,6 +180,17 @@ module.exports = {
*/ */
suppressRPCErrors: false, suppressRPCErrors: false,
/* TODO
*
*/
enableUploads: true,
/* TODO
*
*/
restrictUploads: true,
/* it is recommended that you serve cryptpad over https /* it is recommended that you serve cryptpad over https
* the filepaths below are used to configure your certificates * the filepaths below are used to configure your certificates
*/ */

@ -409,6 +409,30 @@ var resetUserPins = function (store, Sessions, publicKey, channelList, cb) {
}); });
}; };
var getPrivilegedUserList = function (cb) {
Fs.readFile('./privileged.conf', 'utf8', function (e, body) {
if (e) {
if (e.code === 'ENOENT') {
return void cb(void 0, []);
}
return void (e.code);
}
var list = body.split(/\n/)
.map(function (line) {
return line.replace(/#.*$/, '').trim();
})
.filter(function (x) { return x; });
cb(void 0, list);
});
};
var isPrivilegedUser = function (publicKey, cb) {
getPrivilegedUserList(function (e, list) {
if (e) { return void cb(false); }
cb(list.indexOf(publicKey) !== -1);
});
};
var getLimit = function (cb) { var getLimit = function (cb) {
cb = cb; // TODO cb = cb; // TODO
}; };
@ -625,6 +649,11 @@ RPC.create = function (config /*:typeof(ConfigType)*/, cb /*:(?Error, ?Function)
return void Respond('INVALID_MSG'); return void Respond('INVALID_MSG');
} }
var deny = function () {
Respond('E_ACCESS_DENIED');
};
var handleMessage = function (privileged) {
switch (msg[0]) { switch (msg[0]) {
case 'COOKIE': return void Respond(void 0); case 'COOKIE': return void Respond(void 0);
case 'RESET': case 'RESET':
@ -662,19 +691,25 @@ RPC.create = function (config /*:typeof(ConfigType)*/, cb /*:(?Error, ?Function)
Respond(void 0, dict); Respond(void 0, dict);
}); });
// restricted to privileged users...
case 'UPLOAD': case 'UPLOAD':
if (!privileged) { return deny(); }
return void upload(blobStagingPath, Sessions, safeKey, msg[1], function (e, len) { return void upload(blobStagingPath, Sessions, safeKey, msg[1], function (e, len) {
Respond(e, len); Respond(e, len);
}); });
case 'UPLOAD_STATUS': case 'UPLOAD_STATUS':
if (!privileged) { return deny(); }
return void upload_status(blobStagingPath, Sessions, safeKey, function (e, stat) { return void upload_status(blobStagingPath, Sessions, safeKey, function (e, stat) {
Respond(e, stat); Respond(e, stat);
}); });
case 'UPLOAD_COMPLETE': case 'UPLOAD_COMPLETE':
if (!privileged) { return deny(); }
return void upload_complete(blobStagingPath, blobPath, Sessions, safeKey, function (e, hash) { return void upload_complete(blobStagingPath, blobPath, Sessions, safeKey, function (e, hash) {
Respond(e, hash); Respond(e, hash);
}); });
case 'UPLOAD_CANCEL': case 'UPLOAD_CANCEL':
if (!privileged) { return deny(); }
return void upload_cancel(blobStagingPath, Sessions, safeKey, function (e) { return void upload_cancel(blobStagingPath, Sessions, safeKey, function (e) {
Respond(e); Respond(e);
}); });
@ -683,6 +718,29 @@ RPC.create = function (config /*:typeof(ConfigType)*/, cb /*:(?Error, ?Function)
} }
}; };
// reject uploads unless explicitly enabled
if (config.enableUploads !== true) {
return void handleMessage(false);
}
// restrict upload capability unless explicitly disabled
if (config.restrictUploads === false) {
return void handleMessage(true);
}
// if session has not been authenticated, do so
var session = Sessions[publicKey];
if (typeof(session.privilege) !== 'boolean') {
return void isPrivilegedUser(publicKey, function (yes) {
session.privilege = yes;
handleMessage(yes);
});
}
// if authenticated, proceed
handleMessage(session.privilege);
};
Store.create({ Store.create({
filePath: pinPath, filePath: pinPath,
}, function (s) { }, function (s) {

Loading…
Cancel
Save