From 2cb0970a319b820b02c05c9b8e3fecbd4436a14a Mon Sep 17 00:00:00 2001 From: Bryan Ashby Date: Thu, 22 Sep 2022 21:24:24 -0600 Subject: [PATCH] Add 'allowPosting' config --- core/servers/content/nntp.js | 19 +++++++++++-------- docs/_docs/servers/contentservers/nntp.md | 13 ++++++++++++- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/core/servers/content/nntp.js b/core/servers/content/nntp.js index dbc3febc..2ce67e31 100644 --- a/core/servers/content/nntp.js +++ b/core/servers/content/nntp.js @@ -121,6 +121,7 @@ const Responses = { SendArticle: '340 send article to be posted', + PostingNotAllowed: '440 posting not allowed', ArticlePostFailed: '441 posting failed', AuthRequired: '480 authentication required', }; @@ -1258,11 +1259,6 @@ exports.getModule = class NNTPServerModule extends ServerModule { const config = Config(); - // add in some additional supported commands - const commands = Object.assign({}, NNTPServerBase.commands, { - POST: PostCommand, - }); - // :TODO: nntp-server doesn't currently allow posting in a nice way, so this is kludged in. Fork+MR something cleaner at some point class ProxySession extends NNTPServerBase.Session { constructor(server, stream) { @@ -1333,12 +1329,19 @@ exports.getModule = class NNTPServerModule extends ServerModule { } const commonOptions = { - //requireAuth : true, // :TODO: re-enable! // :TODO: How to hook into debugging?! - commands, - session: ProxySession, // :TODO: only do this is config.postingAllowed is true, else '440 posting not allowed' even if authenticated }; + if (true === _.get(config, 'contentServers.nntp.allowPosts')) { + // add in some additional supported commands + const commands = Object.assign({}, NNTPServerBase.commands, { + POST: PostCommand, + }); + + commonOptions.commands = commands; + commonOptions.session = ProxySession; + } + if (this.enableNntp) { this.nntpServer = new NNTPServer( // :TODO: according to docs: if connection is non-tls, but behind proxy (assuming TLS termination?!!) then set this to true diff --git a/docs/_docs/servers/contentservers/nntp.md b/docs/_docs/servers/contentservers/nntp.md index 6d15fa17..ffb45343 100644 --- a/docs/_docs/servers/contentservers/nntp.md +++ b/docs/_docs/servers/contentservers/nntp.md @@ -12,6 +12,7 @@ The NNTP *content server* provides access to publicly exposed message conference | `nntp` | :-1: | Configuration block for non-secure NNTP. See Non-Secure NNTP Configuration below. | | `nntps` | :-1: | Configuration block for secure NNTP. See Secure NNTPS Configuration below. | | `publicMessageConferences` | :+1: | A map of *conference tags* to *area tags* that are publicly exposed over NNTP. Anonymous users will get read-only access to these areas. | +| `postingAllowed` | :-1: | Allow posting from authenticated users. See [Write Access](#write-access). ### See Non-Secure NNTP Configuration Under `contentServers.nntp.nntp` the following configuration is allowed: @@ -40,10 +41,20 @@ An example of generating your own cert/key pair: openssl req -newkey rsa:2048 -nodes -keyout ./config/nntps_key.pem -x509 -days 3050 -out ./config/nntps_cert.pem ``` -### Example Configuration +## Write Access +Authenticated users may write messages to a group given the following are true: + +1. They are connected security (NNTPS). This is a strict requirement due to how NNTP authenticates in plain-text otherwise. +2. The authenticated user has write [ACS](../../configuration/acs.md) to the target message conference and area. + +> :warning: Not all [ACS](../../configuration/acs.md) checks can be made over NNTP. Any ACS requiring a "client" will return false (fail), such as `LC` ("is local?"). + +## Example Configuration ```hjson contentServers: { nntp: { + allowPosting: true + publicMessageConferences: { fsxnet: [ // Expose these areas of fsxNet