VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	fd4f03afc3	fix(policy): read-path ACL honors admin bypass via AllowFromChainP Reads (apps resolution, directory listing, file GET, archive index, profile pages, subtree zip, form render) used policy.AllowFromChain with email — no admin-bypass branch fired even for elevated admins, because IsActiveAdmin only landed in AllowActionFromChainP. Symptom: elevated admin navigating to /browse.html got 403 because the root cascade has no explicit read grants in my refactored root .zddc (role memberships + admins only; no acl.permissions). The app-resolution path's AllowFromChain didn't see admin status. Fix: new policy.AllowFromChainP that forwards to AllowActionFromChainP(action=read). Migrate every read-path caller to the principal-aware variant. The decider's single bypass branch now fires uniformly across read and write decisions. Migrated: cmd/zddc-server/main.go (9 sites) handler/directory.go (1) handler/archivehandler.go (2) handler/zddcfile.go (1) handler/formhandler.go (3) handler/projectshandler.go (1; EnumerateProjects sig takes Principal) handler/subtreezip.go (1) fs/tree.go (1; uses already-built principal) profilehandler.go:400 stays on AllowFromChain — it probes ACL for a DIFFERENT email (the enumeration target, not the request principal), so admin bypass on the request's principal doesn't apply. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 09:54:46 -05:00
ZDDC	167a56dc07	refactor: virtual file extensions for subtree zip + MD conversion Replace `?zip=1` / `?convert=docx\|html\|pdf` query forms with path-suffix URLs that look like ordinary files. `<dir>.zip` and `<file>.docx` / `.html` / `.pdf` are virtual files served by the dispatcher when stat fails at the requested path AND the corresponding base resource exists: GET /Project-1/archive.zip ← if archive/ is a real directory GET /Project-1/notes.docx ← if notes.md exists Real on-disk files always win — a genuine archive.zip in the tree serves its bytes normally. The virtual forms only fire when nothing real is there. Why: the URL form lets clients emit plain <a href> without query- string handling; `curl -O` writes a sensible filename; mirror tools pick up the path through normal recursion; the protocol surface becomes "every URL is a file". Bash + filesystem mental model. Server: - New helpers handler.RecognizeVirtualSubtreeZip / RecognizeVirtualConvert (in subtreezip.go and converthandler.go). - Dispatcher's stat-fails branch checks them between IsDefaultMdlSpec and MatchAppHTML. ACL is enforced on the base resource (the source directory for zip, the .md source for convert). - Three legacy query-form branches removed from main.go. Client: - browse/js/download.js: `dir + '.zip'` instead of `dir + '/?zip=1'`. - browse/js/preview-markdown.js: convert anchor hrefs become `<mdUrl-minus-.md>.<fmt>` instead of `<mdUrl>?convert=<fmt>`. - shared/zddc-source.js downloadConverted: same transform. Tests: subtreezip_test.go test URLs cosmetically updated to the new shape (the handler is exercised directly, so the URL is metadata only, but the test reads better). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-14 12:23:37 -05:00
ZDDC	81e065e5b0	feat(zddc): GET /dir/?zip=1 — stream an ACL-filtered .zip of a subtree zddc-server can now hand back a whole directory subtree as a single streamed application/zip download: GET /some/dir/?zip=1 (works on both /dir and /dir/) → Content-Type: application/zip + Content-Disposition: attachment; filename="<dir>.zip", containing every readable file under /some/dir/, recursively. handler.ServeSubtreeZip walks the tree with filepath.WalkDir, ACL-gates each file by the .zddc chain of its containing directory (per-dir decision cache, same shape as serveArchiveListing), skips hidden entries ("." and "_" prefixes — .zddc, _template, _app), and adds a .zip file it encounters as opaque bytes (it does not recurse into it — that's the navigable-virtual-surface feature, a different thing). The response is streamed (zip.NewWriter straight onto the ResponseWriter, Store for already-compressed extensions, Deflate otherwise), so a fully-ACL-denied or empty subtree just yields a valid empty zip rather than a 403 (a stream can't change status after the headers go out; empty leaks no more than 403). HEAD sends the headers and no body. The dispatch's directory ACL gate still runs first, so a viewer who can't read the directory gets 403 before the handler. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-12 12:59:17 -05:00

Author

SHA1

Message

Date

ZDDC

fd4f03afc3

fix(policy): read-path ACL honors admin bypass via AllowFromChainP

Reads (apps resolution, directory listing, file GET, archive index,
profile pages, subtree zip, form render) used policy.AllowFromChain
with email — no admin-bypass branch fired even for elevated admins,
because IsActiveAdmin only landed in AllowActionFromChainP.

Symptom: elevated admin navigating to /browse.html got 403 because
the root cascade has no explicit read grants in my refactored root
.zddc (role memberships + admins only; no acl.permissions). The
app-resolution path's AllowFromChain didn't see admin status.

Fix: new policy.AllowFromChainP that forwards to
AllowActionFromChainP(action=read). Migrate every read-path caller
to the principal-aware variant. The decider's single bypass branch
now fires uniformly across read and write decisions.

Migrated:
  cmd/zddc-server/main.go        (9 sites)
  handler/directory.go           (1)
  handler/archivehandler.go      (2)
  handler/zddcfile.go            (1)
  handler/formhandler.go         (3)
  handler/projectshandler.go     (1; EnumerateProjects sig takes Principal)
  handler/subtreezip.go          (1)
  fs/tree.go                     (1; uses already-built principal)

profilehandler.go:400 stays on AllowFromChain — it probes ACL for a
DIFFERENT email (the enumeration target, not the request principal),
so admin bypass on the request's principal doesn't apply.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 09:54:46 -05:00

ZDDC

167a56dc07

refactor: virtual file extensions for subtree zip + MD conversion

Replace `?zip=1` / `?convert=docx|html|pdf` query forms with path-suffix
URLs that look like ordinary files. `<dir>.zip` and `<file>.docx` /
`.html` / `.pdf` are virtual files served by the dispatcher when stat
fails at the requested path AND the corresponding base resource exists:

  GET /Project-1/archive.zip          ← if archive/ is a real directory
  GET /Project-1/notes.docx           ← if notes.md exists

Real on-disk files always win — a genuine archive.zip in the tree
serves its bytes normally. The virtual forms only fire when nothing
real is there.

Why: the URL form lets clients emit plain <a href> without query-
string handling; `curl -O` writes a sensible filename; mirror tools
pick up the path through normal recursion; the protocol surface
becomes "every URL is a file". Bash + filesystem mental model.

Server:
- New helpers handler.RecognizeVirtualSubtreeZip /
  RecognizeVirtualConvert (in subtreezip.go and converthandler.go).
- Dispatcher's stat-fails branch checks them between IsDefaultMdlSpec
  and MatchAppHTML. ACL is enforced on the base resource (the source
  directory for zip, the .md source for convert).
- Three legacy query-form branches removed from main.go.

Client:
- browse/js/download.js: `dir + '.zip'` instead of `dir + '/?zip=1'`.
- browse/js/preview-markdown.js: convert anchor hrefs become
  `<mdUrl-minus-.md>.<fmt>` instead of `<mdUrl>?convert=<fmt>`.
- shared/zddc-source.js downloadConverted: same transform.

Tests: subtreezip_test.go test URLs cosmetically updated to the new
shape (the handler is exercised directly, so the URL is metadata only,
but the test reads better).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-14 12:23:37 -05:00

ZDDC

81e065e5b0

feat(zddc): GET /dir/?zip=1 — stream an ACL-filtered .zip of a subtree

zddc-server can now hand back a whole directory subtree as a single
streamed application/zip download: GET /some/dir/?zip=1 (works on both
/dir and /dir/) → Content-Type: application/zip + Content-Disposition:
attachment; filename="<dir>.zip", containing every readable file under
/some/dir/, recursively.

handler.ServeSubtreeZip walks the tree with filepath.WalkDir, ACL-gates
each file by the .zddc chain of its containing directory (per-dir
decision cache, same shape as serveArchiveListing), skips hidden
entries ("." and "_" prefixes — .zddc, _template, _app), and adds a
.zip *file* it encounters as opaque bytes (it does not recurse into it
— that's the navigable-virtual-surface feature, a different thing).
The response is streamed (zip.NewWriter straight onto the
ResponseWriter, Store for already-compressed extensions, Deflate
otherwise), so a fully-ACL-denied or empty subtree just yields a valid
empty zip rather than a 403 (a stream can't change status after the
headers go out; empty leaks no more than 403). HEAD sends the headers
and no body. The dispatch's directory ACL gate still runs first, so a
viewer who can't read the directory gets 403 before the handler.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-12 12:59:17 -05:00

3 commits