Skip to content

🐛 fix(ui): enforce OCI read ACLs#213

Merged
gaborbernat merged 1 commit into
tox-dev:mainfrom
gaborbernat:fix/ui-oci-read-acls
Jul 13, 2026
Merged

🐛 fix(ui): enforce OCI read ACLs#213
gaborbernat merged 1 commit into
tox-dev:mainfrom
gaborbernat:fix/ui-oci-read-acls

Conversation

@gaborbernat

@gaborbernat gaborbernat commented Jul 12, 2026

Copy link
Copy Markdown
Member

Anonymous users could see private repository names and stored package data outside /v2/ through neutral browse and search routes that skipped OCI read ACLs (#190). 🔒

The server now resolves Basic or Bearer credentials once per index before browse drivers read repository data, then converts readable scopes into Tantivy predicates before counting and pagination. Public indexes retain their direct query path.

Invalid Basic credentials trigger a WWW-Authenticate challenge. Root-mounted OCI routes accept the same bearer scopes as nested routes; the OCI user guides and contributor architecture reference describe the boundary.

@gaborbernat gaborbernat added the bug Something isn't working label Jul 12, 2026
@read-the-docs-community

read-the-docs-community Bot commented Jul 12, 2026

Copy link
Copy Markdown

@codspeed-hq

codspeed-hq Bot commented Jul 12, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 29 untouched benchmarks
⏩ 62 skipped benchmarks1


Comparing gaborbernat:fix/ui-oci-read-acls (0a4513e) with main (afd8b0d)

Open in CodSpeed

Footnotes

  1. 62 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@gaborbernat gaborbernat force-pushed the fix/ui-oci-read-acls branch from c0766af to 7b28cf5 Compare July 12, 2026 19:48
@gaborbernat gaborbernat changed the title fix(ui): enforce OCI read ACLs 🐛 fix(ui): enforce OCI read ACLs Jul 12, 2026
@gaborbernat gaborbernat force-pushed the fix/ui-oci-read-acls branch from 7b28cf5 to 9de8d0c Compare July 12, 2026 21:16
@gaborbernat gaborbernat force-pushed the fix/ui-oci-read-acls branch 2 times, most recently from ce75ae1 to a3a93c5 Compare July 13, 2026 04:31
Anonymous users could browse private OCI repositories through neutral UI and
search routes because those routes skipped index read ACLs.

Check OCI read ACLs before browse drivers read repository data. Add readable
resource globs to the Tantivy query so private repositories do not affect totals
or pages. Resolve Basic credentials once per index and retain the public fast
path.

Fixes tox-dev#190
@gaborbernat gaborbernat force-pushed the fix/ui-oci-read-acls branch from a3a93c5 to 0a4513e Compare July 13, 2026 05:25
@gaborbernat gaborbernat enabled auto-merge (squash) July 13, 2026 05:27
@gaborbernat gaborbernat merged commit 38729f8 into tox-dev:main Jul 13, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant