From 20897fef6be4a07789e4b8cfa8d6925d98a2a35d Mon Sep 17 00:00:00 2001
From: ZDDC <caseywitt@proton.me>
Date: Sun, 3 May 2026 22:53:14 -0500
Subject: [PATCH] feat(server): public landing page (root bypasses dir-level
 ACL)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GET / and GET /index.html previously enforced the root .zddc's
top-level acl: gate before serving the landing page. On a deployment
where only specific emails are allowed at root, anonymous (and
unauthorized) callers got 403 — they couldn't even see the project
picker that would tell them which projects were available to them.

Make the landing page public:
  - cmd/zddc-server: drop the AllowedWithChain gate from the
    apps.Serve("landing") branch; drop it from the IsDir branch when
    urlPath == "/".
  - handler/directory.go: matching bypass for ServeDirectory at the
    root path (covers Accept: application/json and the case where a
    real /index.html exists on disk).

Per-project ACL is preserved end-to-end:
  - fs.ListDirectory continues to filter sub-entries per email, so
    anonymous callers see only projects whose .zddc allows them.
  - Subdirectory requests still hit the ACL gate.

Regression test in handler/directory_test.go covers all four cases
(anonymous public, anonymous filters out private, admin sees both,
anonymous still 403 on private subdir). Full go test ./... passes.
---
 zddc/cmd/zddc-server/main.go            |  27 +++--
 zddc/internal/handler/directory.go      |   8 +-
 zddc/internal/handler/directory_test.go | 128 ++++++++++++++++++++++++
 3 files changed, 152 insertions(+), 11 deletions(-)
 create mode 100644 zddc/internal/handler/directory_test.go

diff --git a/zddc/cmd/zddc-server/main.go b/zddc/cmd/zddc-server/main.go
index 06fcfba..6f11bc2 100644
--- a/zddc/cmd/zddc-server/main.go
+++ b/zddc/cmd/zddc-server/main.go
@@ -297,14 +297,16 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
 	// no real index.html on disk → serve via apps.Serve("landing"). The
 	// other four apps are caught by the "stat fails → app HTML?" branch
 	// below, which only triggers when no concrete file is at the URL path.
+	//
+	// The landing page is intentionally public (no ACL gate). It's a
+	// project picker — the per-project ACL filtering done by
+	// fs.ListDirectory still hides projects an anonymous (or unauthorized)
+	// caller can't reach. See also handler.ServeDirectory's matching
+	// root-path bypass.
 	if appsSrv != nil && (urlPath == "/" || urlPath == "/index.html") {
 		realIndex := filepath.Join(cfg.Root, "index.html")
 		if _, err := os.Stat(realIndex); os.IsNotExist(err) {
 			chain, _ := zddc.EffectivePolicy(cfg.Root, cfg.Root)
-			if !zddc.AllowedWithChain(chain, email) {
-				http.Error(w, "Forbidden", http.StatusForbidden)
-				return
-			}
 			if apps.AppAvailableAt(cfg.Root, cfg.Root, "landing") {
 				appsSrv.Serve(w, r, "landing", chain, cfg.Root)
 				return
@@ -353,11 +355,18 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
 	}
 
 	if info.IsDir() {
-		// ACL check
-		chain, _ := zddc.EffectivePolicy(cfg.Root, absPath)
-		if !zddc.AllowedWithChain(chain, email) {
-			http.Error(w, "Forbidden", http.StatusForbidden)
-			return
+		// ACL check — bypassed at the root path so the landing page (the
+		// project picker) is reachable by anyone, including anonymous.
+		// Per-project filtering happens inside ServeDirectory →
+		// fs.ListDirectory, which hides directories the caller can't
+		// reach. Subdirectory requests still hit this gate.
+		isRoot := urlPath == "/"
+		if !isRoot {
+			chain, _ := zddc.EffectivePolicy(cfg.Root, absPath)
+			if !zddc.AllowedWithChain(chain, email) {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 		}
 		if !strings.HasSuffix(urlPath, "/") {
 			http.Redirect(w, r, urlPath+"/", http.StatusMovedPermanently)
diff --git a/zddc/internal/handler/directory.go b/zddc/internal/handler/directory.go
index 169c924..2ae114a 100644
--- a/zddc/internal/handler/directory.go
+++ b/zddc/internal/handler/directory.go
@@ -40,7 +40,10 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
 	dirPath := strings.TrimPrefix(urlPath, "/")
 	dirPath = strings.TrimSuffix(dirPath, "/")
 
-	// ACL check on this directory itself
+	// ACL check on this directory itself.
+	// Bypassed at the root path: the landing page is a public project
+	// picker. Per-project filtering inside fs.ListDirectory still hides
+	// directories the caller can't reach.
 	absDir, ok := safeJoin(cfg.Root, dirPath)
 	if !ok {
 		http.Error(w, "Not Found", http.StatusNotFound)
@@ -50,7 +53,8 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		slog.Warn("ACL policy error", "path", absDir, "err", err)
 	}
-	if !zddc.AllowedWithChain(chain, email) {
+	isRoot := dirPath == ""
+	if !isRoot && !zddc.AllowedWithChain(chain, email) {
 		http.Error(w, "Forbidden", http.StatusForbidden)
 		return
 	}
diff --git a/zddc/internal/handler/directory_test.go b/zddc/internal/handler/directory_test.go
new file mode 100644
index 0000000..bfae56d
--- /dev/null
+++ b/zddc/internal/handler/directory_test.go
@@ -0,0 +1,128 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
+)
+
+// TestServeDirectoryRootIsPublic asserts that the landing page (the root
+// directory listing) is reachable by anyone, including anonymous callers
+// whose email is empty AND whose access would be denied by a restrictive
+// root .zddc. Per-project filtering inside fs.ListDirectory still hides
+// directories the caller can't reach (separately verified below).
+//
+// The behavior was changed when "Everyone needs to have access to the
+// landing page" became the explicit requirement; this test is the
+// regression guard.
+func TestServeDirectoryRootIsPublic(t *testing.T) {
+	root := t.TempDir()
+
+	// Restrictive root .zddc — only admin@example.com is allowed by ACL,
+	// nothing else. A user without that email would have been 403'd before
+	// the bypass.
+	if err := os.WriteFile(filepath.Join(root, ".zddc"),
+		[]byte("admins:\n  - admin@example.com\nacl:\n  allow:\n    - admin@example.com\n"),
+		0o644); err != nil {
+		t.Fatalf("write root .zddc: %v", err)
+	}
+
+	// One project visible to everyone, one only to admin.
+	for _, name := range []string{"PublicProj", "PrivateProj"} {
+		if err := os.MkdirAll(filepath.Join(root, name), 0o755); err != nil {
+			t.Fatalf("mkdir %s: %v", name, err)
+		}
+	}
+	if err := os.WriteFile(filepath.Join(root, "PublicProj", ".zddc"),
+		[]byte("acl:\n  allow: [\"*\"]\n"), 0o644); err != nil {
+		t.Fatalf("write PublicProj .zddc: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(root, "PrivateProj", ".zddc"),
+		[]byte("acl:\n  allow: [admin@example.com]\n"), 0o644); err != nil {
+		t.Fatalf("write PrivateProj .zddc: %v", err)
+	}
+
+	cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
+
+	t.Run("anonymous JSON GET / does not 403", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		// Anonymous: empty email in context.
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("status = %d, want 200 (root is public); body = %s",
+				rec.Code, rec.Body.String())
+		}
+	})
+
+	t.Run("anonymous JSON GET / hides private projects", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
+		}
+
+		var entries []map[string]any
+		if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
+			t.Fatalf("invalid JSON: %v\n%s", err, rec.Body.String())
+		}
+
+		names := map[string]bool{}
+		for _, e := range entries {
+			if n, ok := e["name"].(string); ok {
+				names[n] = true
+			}
+		}
+		if !names["PublicProj/"] {
+			t.Errorf("PublicProj missing from anonymous listing: %v", names)
+		}
+		if names["PrivateProj/"] {
+			t.Errorf("PrivateProj leaked to anonymous listing: %v", names)
+		}
+	})
+
+	t.Run("admin JSON GET / sees both projects", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, "admin@example.com"))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("admin status = %d, want 200", rec.Code)
+		}
+
+		var entries []map[string]any
+		if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
+			t.Fatalf("invalid JSON: %v", err)
+		}
+		if len(entries) != 2 {
+			t.Errorf("admin should see both projects; got %d", len(entries))
+		}
+	})
+
+	t.Run("anonymous still gets 403 on private subdirectory", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/PrivateProj/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusForbidden {
+			t.Errorf("private subdir for anonymous: status = %d, want 403", rec.Code)
+		}
+	})
+}