mirror of
https://github.com/Quiq/docker-registry-ui.git
synced 2025-07-19 08:36:33 +00:00
Refactor user permissions
This commit is contained in:
Roman Vynar
parent
02a0bce3d2
commit
1510893392
@ -3,10 +3,13 @@
|
||||
### 0.9.5 (unreleased)
|
||||
|
||||
* Upgrade Go version to 1.19.0, alpine to 3.16 and other dependencies.
|
||||
* Added an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes).
|
||||
* Added an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided.
|
||||
* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`.
|
||||
* Add an option `anyone_can_view_events` to restrict access to the event log. Set it to `true` to make event log accessible to anyone (to restore the previous behaviour), otherwise the default `false` will hide it and only admins can view it (thanks to @ribbybibby).
|
||||
* Add an option `purge_tags_keep_regexp` to preserve tags based on regexp (thanks to @dmaes).
|
||||
* Add an option `purge_tags_keep_from_file` to preserve tags for repos listed in the file provided.
|
||||
* When purging tags sort them by name reversibly when no date available, e.g. for OCI image format (thanks to @dmaes).
|
||||
* Fix a bug when there was a bit more tags preserved than defined by `purge_tags_keep_count`.
|
||||
|
||||
Also see `config.yml` in this repo for the description of new options.
|
||||
|
||||
### 0.9.4 (2022-04-06)
|
||||
|
||||
|
||||
@ -38,7 +38,9 @@ event_deletion_enabled: true
|
||||
# How long to cache repository list and tag counts.
|
||||
cache_refresh_interval: 10
|
||||
|
||||
# If users can delete tags. If set to False, then only admins listed below.
|
||||
# If all users can view the event log. If set to false, then only admins listed below.
|
||||
anyone_can_view_events: true
|
||||
# If all users can delete tags. If set to false, then only admins listed below.
|
||||
anyone_can_delete: false
|
||||
# Users allowed to delete tags.
|
||||
# This should be sent via X-WEBAUTH-USER header from your proxy.
|
||||
|
||||
65
web.go
65
web.go
@ -12,6 +12,18 @@ import (
|
||||
"github.com/tidwall/gjson"
|
||||
)
|
||||
|
||||
const usernameHTTPHeader = "X-WEBAUTH-USER"
|
||||
|
||||
func (a *apiClient) setUserPermissions(c echo.Context) jet.VarMap {
|
||||
user := c.Request().Header.Get(usernameHTTPHeader)
|
||||
|
||||
data := jet.VarMap{}
|
||||
data.Set("user", user)
|
||||
data.Set("eventsAllowed", a.config.AnyoneCanViewEvents || registry.ItemInSlice(user, a.config.Admins))
|
||||
data.Set("deleteAllowed", a.config.AnyoneCanDelete || registry.ItemInSlice(user, a.config.Admins))
|
||||
return data
|
||||
}
|
||||
|
||||
func (a *apiClient) viewRepositories(c echo.Context) error {
|
||||
namespace := c.Param("namespace")
|
||||
if namespace == "" {
|
||||
@ -19,7 +31,7 @@ func (a *apiClient) viewRepositories(c echo.Context) error {
|
||||
}
|
||||
|
||||
repos := a.client.Repositories(true)[namespace]
|
||||
data := a.dataWithPermissions(c)
|
||||
data := a.setUserPermissions(c)
|
||||
data.Set("namespace", namespace)
|
||||
data.Set("namespaces", a.client.Namespaces())
|
||||
data.Set("repos", repos)
|
||||
@ -38,7 +50,7 @@ func (a *apiClient) viewTags(c echo.Context) error {
|
||||
|
||||
tags := a.client.Tags(repoPath)
|
||||
|
||||
data := a.dataWithPermissions(c)
|
||||
data := a.setUserPermissions(c)
|
||||
data.Set("namespace", namespace)
|
||||
data.Set("repo", repo)
|
||||
data.Set("tags", tags)
|
||||
@ -128,7 +140,7 @@ func (a *apiClient) viewTagInfo(c echo.Context) error {
|
||||
}
|
||||
|
||||
// Populate template vars
|
||||
data := a.dataWithPermissions(c)
|
||||
data := a.setUserPermissions(c)
|
||||
data.Set("namespace", namespace)
|
||||
data.Set("repo", repo)
|
||||
data.Set("tag", tag)
|
||||
@ -154,58 +166,17 @@ func (a *apiClient) deleteTag(c echo.Context) error {
|
||||
repoPath = fmt.Sprintf("%s/%s", namespace, repo)
|
||||
}
|
||||
|
||||
if a.checkDeletePermission(c.Request().Header.Get("X-WEBAUTH-USER")) {
|
||||
data := a.setUserPermissions(c)
|
||||
if data["deleteAllowed"].Bool() {
|
||||
a.client.DeleteTag(repoPath, tag)
|
||||
}
|
||||
|
||||
return c.Redirect(http.StatusSeeOther, fmt.Sprintf("%s/%s/%s", a.config.BasePath, namespace, repo))
|
||||
}
|
||||
|
||||
// dataWithPermissions returns a jet.VarMap with permission related information
|
||||
// set
|
||||
func (a *apiClient) dataWithPermissions(c echo.Context) jet.VarMap {
|
||||
user := c.Request().Header.Get("X-WEBAUTH-USER")
|
||||
|
||||
data := jet.VarMap{}
|
||||
data.Set("user", user)
|
||||
data.Set("deleteAllowed", a.checkDeletePermission(user))
|
||||
data.Set("eventsAllowed", a.checkEventsPermission(user))
|
||||
|
||||
return data
|
||||
}
|
||||
|
||||
// checkDeletePermission check if tag deletion is allowed whether by anyone or permitted users.
|
||||
func (a *apiClient) checkDeletePermission(user string) bool {
|
||||
deleteAllowed := a.config.AnyoneCanDelete
|
||||
if !deleteAllowed {
|
||||
for _, u := range a.config.Admins {
|
||||
if u == user {
|
||||
deleteAllowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
return deleteAllowed
|
||||
}
|
||||
|
||||
// checkEventsPermission checks if anyone is allowed to view events or only
|
||||
// admins
|
||||
func (a *apiClient) checkEventsPermission(user string) bool {
|
||||
eventsAllowed := a.config.AnyoneCanViewEvents
|
||||
if !eventsAllowed {
|
||||
for _, u := range a.config.Admins {
|
||||
if u == user {
|
||||
eventsAllowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
return eventsAllowed
|
||||
}
|
||||
|
||||
// viewLog view events from sqlite.
|
||||
func (a *apiClient) viewLog(c echo.Context) error {
|
||||
data := a.dataWithPermissions(c)
|
||||
data := a.setUserPermissions(c)
|
||||
data.Set("events", a.eventListener.GetEvents(""))
|
||||
|
||||
return c.Render(http.StatusOK, "event_log.html", data)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user