diff --git a/CHANGELOG.md b/CHANGELOG.md index 90e4b07..fb034cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,13 @@ ### 0.9.5 (unreleased) * Upgrade Go version to 1.19.0, alpine to 3.16 and other dependencies. -* Added an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes). -* Added an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided. -* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`. +* Add an option `anyone_can_view_events` to restrict access to the event log. Set it to `true` to make event log accessible to anyone (to restore the previous behaviour), otherwise the default `false` will hide it and only admins can view it (thanks to @ribbybibby). +* Add an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes). +* Add an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided. * When purging tags sort them by name reversibly when no date available, e.g. for OCI image format (thanks to @dmaes). +* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`. + +Also see `config.yml` in this repo for the description of new options. ### 0.9.4 (2022-04-06) diff --git a/config.yml b/config.yml index cab680a..b4b7efd 100644 --- a/config.yml +++ b/config.yml @@ -38,7 +38,9 @@ event_deletion_enabled: true # How long to cache repository list and tag counts. cache_refresh_interval: 10 -# If users can delete tags. If set to False, then only admins listed below. +# If all users can view the event log. If set to false, then only admins listed below. +anyone_can_view_events: true +# If all users can delete tags. If set to false, then only admins listed below. anyone_can_delete: false # Users allowed to delete tags. # This should be sent via X-WEBAUTH-USER header from your proxy. diff --git a/web.go b/web.go index 8692b04..695f17b 100644 --- a/web.go +++ b/web.go @@ -12,6 +12,18 @@ import ( "github.com/tidwall/gjson" ) +const usernameHTTPHeader = "X-WEBAUTH-USER" + +func (a *apiClient) setUserPermissions(c echo.Context) jet.VarMap { + user := c.Request().Header.Get(usernameHTTPHeader) + + data := jet.VarMap{} + data.Set("user", user) + data.Set("eventsAllowed", a.config.AnyoneCanViewEvents || registry.ItemInSlice(user, a.config.Admins)) + data.Set("deleteAllowed", a.config.AnyoneCanDelete || registry.ItemInSlice(user, a.config.Admins)) + return data +} + func (a *apiClient) viewRepositories(c echo.Context) error { namespace := c.Param("namespace") if namespace == "" { @@ -19,7 +31,7 @@ func (a *apiClient) viewRepositories(c echo.Context) error { } repos := a.client.Repositories(true)[namespace] - data := a.dataWithPermissions(c) + data := a.setUserPermissions(c) data.Set("namespace", namespace) data.Set("namespaces", a.client.Namespaces()) data.Set("repos", repos) @@ -38,7 +50,7 @@ func (a *apiClient) viewTags(c echo.Context) error { tags := a.client.Tags(repoPath) - data := a.dataWithPermissions(c) + data := a.setUserPermissions(c) data.Set("namespace", namespace) data.Set("repo", repo) data.Set("tags", tags) @@ -128,7 +140,7 @@ func (a *apiClient) viewTagInfo(c echo.Context) error { } // Populate template vars - data := a.dataWithPermissions(c) + data := a.setUserPermissions(c) data.Set("namespace", namespace) data.Set("repo", repo) data.Set("tag", tag) @@ -154,58 +166,17 @@ func (a *apiClient) deleteTag(c echo.Context) error { repoPath = fmt.Sprintf("%s/%s", namespace, repo) } - if a.checkDeletePermission(c.Request().Header.Get("X-WEBAUTH-USER")) { + data := a.setUserPermissions(c) + if data["deleteAllowed"].Bool() { a.client.DeleteTag(repoPath, tag) } return c.Redirect(http.StatusSeeOther, fmt.Sprintf("%s/%s/%s", a.config.BasePath, namespace, repo)) } -// dataWithPermissions returns a jet.VarMap with permission related information -// set -func (a *apiClient) dataWithPermissions(c echo.Context) jet.VarMap { - user := c.Request().Header.Get("X-WEBAUTH-USER") - - data := jet.VarMap{} - data.Set("user", user) - data.Set("deleteAllowed", a.checkDeletePermission(user)) - data.Set("eventsAllowed", a.checkEventsPermission(user)) - - return data -} - -// checkDeletePermission check if tag deletion is allowed whether by anyone or permitted users. -func (a *apiClient) checkDeletePermission(user string) bool { - deleteAllowed := a.config.AnyoneCanDelete - if !deleteAllowed { - for _, u := range a.config.Admins { - if u == user { - deleteAllowed = true - break - } - } - } - return deleteAllowed -} - -// checkEventsPermission checks if anyone is allowed to view events or only -// admins -func (a *apiClient) checkEventsPermission(user string) bool { - eventsAllowed := a.config.AnyoneCanViewEvents - if !eventsAllowed { - for _, u := range a.config.Admins { - if u == user { - eventsAllowed = true - break - } - } - } - return eventsAllowed -} - // viewLog view events from sqlite. func (a *apiClient) viewLog(c echo.Context) error { - data := a.dataWithPermissions(c) + data := a.setUserPermissions(c) data.Set("events", a.eventListener.GetEvents("")) return c.Render(http.StatusOK, "event_log.html", data)