Allow upload only of internal packages

diff --git a/gocheese.go b/gocheese.go
index 25a1b562918b1a6b35f7e48c663cfc38faa21829..8a4a6e59da74fe6f35a0e5c2b648992096991a5e 100644 (file)
--- a/gocheese.go
+++ b/gocheese.go
@@ -328,6 +328,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) {
 }
 
 func serveUpload(w http.ResponseWriter, r *http.Request) {
+       // Authentication
        username, password, ok := r.BasicAuth()
        if !ok {
                log.Println(r.RemoteAddr, "unauthenticated", username)
@@ -340,6 +341,8 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                http.Error(w, "unauthenticated", http.StatusUnauthorized)
                return
        }
+
+       // Form parsing
        var err error
        if err = r.ParseMultipartForm(1 << 20); err != nil {
                http.Error(w, err.Error(), http.StatusBadRequest)
@@ -347,7 +350,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
        }
        pkgNames, exists := r.MultipartForm.Value["name"]
        if !exists || len(pkgNames) != 1 {
-               http.Error(w, "name is expected in request", http.StatusBadRequest)
+               http.Error(w, "single name is expected in request", http.StatusBadRequest)
                return
        }
        dir := normalizationRe.ReplaceAllString(pkgNames[0], "-")
@@ -361,6 +364,14 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                }
        }
        gpgSigsExpected := make(map[string]struct{})
+
+       // Checking is it internal package
+       if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
+               log.Println(r.RemoteAddr, "non-internal package", dir)
+               http.Error(w, "unknown internal package", http.StatusUnauthorized)
+               return
+       }
+
        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
                gpgSigsExpected[filename+GPGSigExt] = struct{}{}
@@ -368,28 +379,19 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                        log.Println(r.RemoteAddr, "already exists", filename)
-                       http.Error(w, "Already exists", http.StatusBadRequest)
+                       http.Error(w, "already exists", http.StatusBadRequest)
                        return
                }
                if !mkdirForPkg(w, r, dir) {
                        return
                }
-               internalPath := filepath.Join(dirPath, InternalFlag)
-               var dst *os.File
-               if _, err = os.Stat(internalPath); os.IsNotExist(err) {
-                       if dst, err = os.Create(internalPath); err != nil {
-                               http.Error(w, err.Error(), http.StatusInternalServerError)
-                               return
-                       }
-                       dst.Close()
-               }
                src, err := file.Open()
                defer src.Close()
                if err != nil {
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
-               dst, err = TempFile(dirPath)
+               dst, err := TempFile(dirPath)
                if err != nil {
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
@@ -440,7 +442,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                        log.Println(r.RemoteAddr, "already exists", filename)
-                       http.Error(w, "Already exists", http.StatusBadRequest)
+                       http.Error(w, "already exists", http.StatusBadRequest)
                        return
                }
                src, err := file.Open()

diff --git a/gocheese.texi b/gocheese.texi
index 6cf12bca82477ddfc2cdcc7e064ab553759edaa4..26ab1789dd4a75f1daa548d93789738c5b8cd103 100644 (file)
--- a/gocheese.texi
+++ b/gocheese.texi
@@ -89,6 +89,10 @@ password: foo
 If @command{twine} sends SHA256 checksum in the request, then uploaded
 file is checked against it.
 
+Pay attention that you have to manually create corresponding private
+package directory! You are not allowed to upload anything explicitly
+flagged as private.
+
 @node Passwords
 @unnumbered Password authentication