mirror of
https://github.com/Quiq/docker-registry-ui.git
synced 2025-07-21 01:19:11 +00:00
Refactor user permissions
This commit is contained in:
Roman Vynar
parent
02a0bce3d2
commit
1510893392
@ -3,10 +3,13 @@
|
|||||||
### 0.9.5 (unreleased)
|
### 0.9.5 (unreleased)
|
||||||
|
|
||||||
* Upgrade Go version to 1.19.0, alpine to 3.16 and other dependencies.
|
* Upgrade Go version to 1.19.0, alpine to 3.16 and other dependencies.
|
||||||
* Added an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes).
|
* Add an option `anyone_can_view_events` to restrict access to the event log. Set it to `true` to make event log accessible to anyone (to restore the previous behaviour), otherwise the default `false` will hide it and only admins can view it (thanks to @ribbybibby).
|
||||||
* Added an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided.
|
* Add an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes).
|
||||||
* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`.
|
* Add an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided.
|
||||||
* When purging tags sort them by name reversibly when no date available, e.g. for OCI image format (thanks to @dmaes).
|
* When purging tags sort them by name reversibly when no date available, e.g. for OCI image format (thanks to @dmaes).
|
||||||
|
* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`.
|
||||||
|
|
||||||
|
Also see `config.yml` in this repo for the description of new options.
|
||||||
|
|
||||||
### 0.9.4 (2022-04-06)
|
### 0.9.4 (2022-04-06)
|
||||||
|
|
||||||
|
|||||||
@ -38,7 +38,9 @@ event_deletion_enabled: true
|
|||||||
# How long to cache repository list and tag counts.
|
# How long to cache repository list and tag counts.
|
||||||
cache_refresh_interval: 10
|
cache_refresh_interval: 10
|
||||||
|
|
||||||
# If users can delete tags. If set to False, then only admins listed below.
|
# If all users can view the event log. If set to false, then only admins listed below.
|
||||||
|
anyone_can_view_events: true
|
||||||
|
# If all users can delete tags. If set to false, then only admins listed below.
|
||||||
anyone_can_delete: false
|
anyone_can_delete: false
|
||||||
# Users allowed to delete tags.
|
# Users allowed to delete tags.
|
||||||
# This should be sent via X-WEBAUTH-USER header from your proxy.
|
# This should be sent via X-WEBAUTH-USER header from your proxy.
|
||||||
|
|||||||
65
web.go
65
web.go
@ -12,6 +12,18 @@ import (
|
|||||||
"github.com/tidwall/gjson"
|
"github.com/tidwall/gjson"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const usernameHTTPHeader = "X-WEBAUTH-USER"
|
||||||
|
|
||||||
|
func (a *apiClient) setUserPermissions(c echo.Context) jet.VarMap {
|
||||||
|
user := c.Request().Header.Get(usernameHTTPHeader)
|
||||||
|
|
||||||
|
data := jet.VarMap{}
|
||||||
|
data.Set("user", user)
|
||||||
|
data.Set("eventsAllowed", a.config.AnyoneCanViewEvents || registry.ItemInSlice(user, a.config.Admins))
|
||||||
|
data.Set("deleteAllowed", a.config.AnyoneCanDelete || registry.ItemInSlice(user, a.config.Admins))
|
||||||
|
return data
|
||||||
|
}
|
||||||
|
|
||||||
func (a *apiClient) viewRepositories(c echo.Context) error {
|
func (a *apiClient) viewRepositories(c echo.Context) error {
|
||||||
namespace := c.Param("namespace")
|
namespace := c.Param("namespace")
|
||||||
if namespace == "" {
|
if namespace == "" {
|
||||||
@ -19,7 +31,7 @@ func (a *apiClient) viewRepositories(c echo.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
repos := a.client.Repositories(true)[namespace]
|
repos := a.client.Repositories(true)[namespace]
|
||||||
data := a.dataWithPermissions(c)
|
data := a.setUserPermissions(c)
|
||||||
data.Set("namespace", namespace)
|
data.Set("namespace", namespace)
|
||||||
data.Set("namespaces", a.client.Namespaces())
|
data.Set("namespaces", a.client.Namespaces())
|
||||||
data.Set("repos", repos)
|
data.Set("repos", repos)
|
||||||
@ -38,7 +50,7 @@ func (a *apiClient) viewTags(c echo.Context) error {
|
|||||||
|
|
||||||
tags := a.client.Tags(repoPath)
|
tags := a.client.Tags(repoPath)
|
||||||
|
|
||||||
data := a.dataWithPermissions(c)
|
data := a.setUserPermissions(c)
|
||||||
data.Set("namespace", namespace)
|
data.Set("namespace", namespace)
|
||||||
data.Set("repo", repo)
|
data.Set("repo", repo)
|
||||||
data.Set("tags", tags)
|
data.Set("tags", tags)
|
||||||
@ -128,7 +140,7 @@ func (a *apiClient) viewTagInfo(c echo.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Populate template vars
|
// Populate template vars
|
||||||
data := a.dataWithPermissions(c)
|
data := a.setUserPermissions(c)
|
||||||
data.Set("namespace", namespace)
|
data.Set("namespace", namespace)
|
||||||
data.Set("repo", repo)
|
data.Set("repo", repo)
|
||||||
data.Set("tag", tag)
|
data.Set("tag", tag)
|
||||||
@ -154,58 +166,17 @@ func (a *apiClient) deleteTag(c echo.Context) error {
|
|||||||
repoPath = fmt.Sprintf("%s/%s", namespace, repo)
|
repoPath = fmt.Sprintf("%s/%s", namespace, repo)
|
||||||
}
|
}
|
||||||
|
|
||||||
if a.checkDeletePermission(c.Request().Header.Get("X-WEBAUTH-USER")) {
|
data := a.setUserPermissions(c)
|
||||||
|
if data["deleteAllowed"].Bool() {
|
||||||
a.client.DeleteTag(repoPath, tag)
|
a.client.DeleteTag(repoPath, tag)
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.Redirect(http.StatusSeeOther, fmt.Sprintf("%s/%s/%s", a.config.BasePath, namespace, repo))
|
return c.Redirect(http.StatusSeeOther, fmt.Sprintf("%s/%s/%s", a.config.BasePath, namespace, repo))
|
||||||
}
|
}
|
||||||
|
|
||||||
// dataWithPermissions returns a jet.VarMap with permission related information
|
|
||||||
// set
|
|
||||||
func (a *apiClient) dataWithPermissions(c echo.Context) jet.VarMap {
|
|
||||||
user := c.Request().Header.Get("X-WEBAUTH-USER")
|
|
||||||
|
|
||||||
data := jet.VarMap{}
|
|
||||||
data.Set("user", user)
|
|
||||||
data.Set("deleteAllowed", a.checkDeletePermission(user))
|
|
||||||
data.Set("eventsAllowed", a.checkEventsPermission(user))
|
|
||||||
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
|
|
||||||
// checkDeletePermission check if tag deletion is allowed whether by anyone or permitted users.
|
|
||||||
func (a *apiClient) checkDeletePermission(user string) bool {
|
|
||||||
deleteAllowed := a.config.AnyoneCanDelete
|
|
||||||
if !deleteAllowed {
|
|
||||||
for _, u := range a.config.Admins {
|
|
||||||
if u == user {
|
|
||||||
deleteAllowed = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return deleteAllowed
|
|
||||||
}
|
|
||||||
|
|
||||||
// checkEventsPermission checks if anyone is allowed to view events or only
|
|
||||||
// admins
|
|
||||||
func (a *apiClient) checkEventsPermission(user string) bool {
|
|
||||||
eventsAllowed := a.config.AnyoneCanViewEvents
|
|
||||||
if !eventsAllowed {
|
|
||||||
for _, u := range a.config.Admins {
|
|
||||||
if u == user {
|
|
||||||
eventsAllowed = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return eventsAllowed
|
|
||||||
}
|
|
||||||
|
|
||||||
// viewLog view events from sqlite.
|
// viewLog view events from sqlite.
|
||||||
func (a *apiClient) viewLog(c echo.Context) error {
|
func (a *apiClient) viewLog(c echo.Context) error {
|
||||||
data := a.dataWithPermissions(c)
|
data := a.setUserPermissions(c)
|
||||||
data.Set("events", a.eventListener.GetEvents(""))
|
data.Set("events", a.eventListener.GetEvents(""))
|
||||||
|
|
||||||
return c.Render(http.StatusOK, "event_log.html", data)
|
return c.Render(http.StatusOK, "event_log.html", data)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user