ZDDC
2d114fcb96
Three coordinated changes that share the same files. Common theme:
convention beats exception. Where the codebase had a bespoke wire shape
or a special-case route, replace it with the generic shape every other
client already speaks.
== Listing protocol ==
GET / Accept: application/json used to dispatch to a bespoke
ServeProjectList handler returning {name, url, title} per project — a
shape that diverged from every other directory's listing.FileInfo
response. Now:
- listing.FileInfo gains an optional `title` field (read from each
directory's own .zddc title:). Generic clients (landing, browse)
read the same shape from every URL.
- appfs.ListDirectory emits a virtual `.zddc` entry (is_dir:false,
virtual:true) when no on-disk file exists at that path and the
caller asked for ?hidden=1. Opens an editable view of the cascade
defaults; PUT-saving its bytes materialises a real file.
- The bespoke GET / JSON branch in cmd/zddc-server/main.go is gone.
The bare-root landing serve is Accept-gated: HTML requests get the
landing tool (project picker), JSON requests fall through to
ServeDirectory and get the generic listing.
- landing's fetchProjects filters the new generic shape (is_dir,
strip trailing slash) — same pattern fetchParties already used at
/<project>/archive/.
== Form editor retirement ==
`<dir>/.zddc.html` was a server-rendered form for editing per-directory
.zddc files (~900 LOC across zddceditor.go, zddchandler.go, zddc_assets.go).
Browse's YAML/CodeMirror editor (with .zddc-schema lint) already edits
the same files via the generic file-API. Two ways to edit the same data
is exception, not convention.
- Delete zddceditor.go, zddchandler.go, zddc_assets.go and tests.
- `/<dir>/.zddc.html` → 302 redirect to `/<dir>/?file=.zddc` (browse
opens the .zddc in its editor pane).
- /.profile/zddc/* namespace deleted (REST API + assets sub-route).
- Profile page's "Editable .zddc files" list links to browse.
- ServeZddcFile's 405 message + virtual-body comment point at the
browse URL instead of the dead form.
== Admin elevation (Principal model) ==
Sudo-style: admins are treated as normal users by default; opting into
admin powers is per-request and gated by a `zddc-elevate=1` cookie.
- zddc.Principal{Email, Elevated} replaces bare-email arguments on
IsAdmin / IsSubtreeAdmin / CanEditZddc. The signature change makes
the elevation gate compiler-enforced at every admin call site —
audit-fragility is gone. The empty-email short-circuit is no longer
load-bearing for elevation; Principal.gate() is the explicit check.
- handler.ACLMiddleware derives Elevated per request: bearer tokens
are implicitly elevated (CLI clients can't toggle a cookie); browser
sessions elevate only when zddc-elevate=1 is set. PrincipalFromContext(r)
is the one-call-per-site bundling helper.
- Every admin-check call site updated to pass a Principal.
- /.auth/admin (forward_auth target for the dev-shell IDE) explicitly
bypasses elevation with a synthetic-elevated Principal — different
cookie scope than zddc-server origin, documented inline.
- AccessView gains CanElevate (elevation-independent "does this email
have admin authority anywhere?") so the header toggle can render
itself for an un-elevated admin who hasn't opted in yet.
- ServeProjectList is removed; ProjectInfo + EnumerateProjects stay
for the profile page's server-rendered project list.
- MatchAppHTML stays — still used by main.go to route <dir>/<tool>.html
URLs to the apps subsystem when no real file exists.
- Test helpers carry Elevated=true by default (matches the
pre-elevation default; tests for the un-elevated gate use the
explicit form).
Go tests pass across all 14 internal packages. Browse + every other
tool rebuilds clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
141 lines
4.5 KiB
Go
141 lines
4.5 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// writeError is the JSON envelope used by admin-write endpoints to
|
|
// surface zddc.ValidateFile field errors back to the caller.
|
|
type writeError struct {
|
|
Errors []zddc.FieldError `json:"errors"`
|
|
}
|
|
|
|
// projectCreateRequest is the wire shape for POST /.profile/projects.
|
|
//
|
|
// All fields except parent and name are optional. The ACL/admins/title
|
|
// fields are bundled into a starter .zddc only if at least one is supplied;
|
|
// otherwise the new directory is left empty and inherits ACL from its
|
|
// ancestors.
|
|
type projectCreateRequest struct {
|
|
Parent string `json:"parent"`
|
|
Name string `json:"name"`
|
|
Title string `json:"title,omitempty"`
|
|
ACL *zddc.ACLRules `json:"acl,omitempty"`
|
|
Admins []string `json:"admins,omitempty"`
|
|
}
|
|
|
|
// projectCreateResponse is the success payload.
|
|
type projectCreateResponse struct {
|
|
Path string `json:"path"`
|
|
URL string `json:"url"`
|
|
}
|
|
|
|
// serveProfileProjectsCreate handles POST /.profile/projects.
|
|
//
|
|
// Authorization is delegated to CanEditZddc on the prospective new
|
|
// directory: the caller must have authority that would let them write a
|
|
// .zddc at that location (super-admin via root admins, or a strict-ancestor
|
|
// admin grant). Non-authorized callers receive 404 to keep this endpoint's
|
|
// existence hidden alongside the rest of the admin surface.
|
|
func serveProfileProjectsCreate(cfg config.Config, w http.ResponseWriter, r *http.Request) {
|
|
// Admin gate first so non-admins (AND un-elevated admins) see 404
|
|
// regardless of method, matching the rest of /.profile/'s existence-
|
|
// leakage policy.
|
|
p := PrincipalFromContext(r)
|
|
if !hasAnyAdminScope(cfg.Root, p) {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
if r.Method != http.MethodPost {
|
|
w.Header().Set("Allow", "POST")
|
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
defer r.Body.Close()
|
|
dec := json.NewDecoder(r.Body)
|
|
dec.DisallowUnknownFields()
|
|
var req projectCreateRequest
|
|
if err := dec.Decode(&req); err != nil {
|
|
http.Error(w, "Bad Request: "+err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if err := zddc.ValidateProjectName(req.Name); err != nil {
|
|
writeFieldError(w, http.StatusBadRequest, "name", err.Error())
|
|
return
|
|
}
|
|
parentAbs, err := resolvePath(cfg.Root, req.Parent)
|
|
if err != nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
if pi, err := os.Stat(parentAbs); err != nil || !pi.IsDir() {
|
|
http.Error(w, "Parent directory not found", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
newDir := filepath.Join(parentAbs, req.Name)
|
|
if !zddc.CanEditZddc(cfg.Root, newDir, p) {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
|
|
if _, err := os.Stat(newDir); err == nil {
|
|
http.Error(w, "Conflict: directory already exists", http.StatusConflict)
|
|
return
|
|
}
|
|
|
|
// If the body supplies any .zddc fields, validate them BEFORE we mkdir
|
|
// so a validation failure leaves no on-disk trace.
|
|
wantsZddc := req.Title != "" || (req.ACL != nil && (len(req.ACL.Allow) > 0 || len(req.ACL.Deny) > 0)) || len(req.Admins) > 0
|
|
var zf zddc.ZddcFile
|
|
if wantsZddc {
|
|
zf.Title = req.Title
|
|
if req.ACL != nil {
|
|
zf.ACL = *req.ACL
|
|
}
|
|
zf.Admins = req.Admins
|
|
if errs := zddc.ValidateFile(zf); len(errs) > 0 {
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_ = json.NewEncoder(w).Encode(writeError{Errors: errs})
|
|
return
|
|
}
|
|
}
|
|
|
|
if err := os.MkdirAll(newDir, 0o755); err != nil {
|
|
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if wantsZddc {
|
|
if err := zddc.WriteFile(newDir, zf); err != nil {
|
|
// Best-effort rollback: remove the empty dir we just created.
|
|
_ = os.Remove(newDir)
|
|
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
|
|
urlPath := urlPathOf(cfg.Root, newDir)
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusCreated)
|
|
_ = json.NewEncoder(w).Encode(projectCreateResponse{
|
|
Path: urlPath,
|
|
URL: urlPath + "/",
|
|
})
|
|
}
|
|
|
|
// writeFieldError emits a single-error writeError JSON body — used when
|
|
// validation fails for a top-level scalar field like `name`.
|
|
func writeFieldError(w http.ResponseWriter, status int, field, message string) {
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(status)
|
|
_ = json.NewEncoder(w).Encode(writeError{Errors: []zddc.FieldError{{Field: field, Message: message}}})
|
|
}
|