Skip to content

fix(crates-io): list owner request unauthorized #16008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

fix(crates-io): list owner request unauthorized #16008

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion crates/crates-io/lib.rs
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

Can we add a test for cargo owner --list demonstrating the problematic behavior? The test should pass in a standalone commit.

The second commit will contain both the fix and the test change diff, which the diff shows the behavior change.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR isn't priority for me; I just noticed the issue while reading the code. Determining how to add a test for a presently untested code path is well beyond the investment I have in this getting fixed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is understandable. Just call that out that this PR doesn't fix #16007 because of #16008 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cargo/src/cargo/ops/registry/owner.rs

Lines 39 to 46 in 113761f

let (mut registry, _) = super::registry(
gctx,
&source_ids,
opts.token.as_ref().map(Secret::as_deref),
opts.reg_or_index.as_ref(),
true,
Some(operation),
)?;

This code path super::registry still requires a token. This may need a bit more refactor

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, there is only a single instance in the entire codebase of something delegating to get. add_owners delegates to put which includes the authorization.

get is private, and list_owners is the only thing that calls it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code path I shown above unconditionally called before hitting get even for cargo owner --list. Granted, this PR standalone is good enough for fixing the issue in the crates-io crate.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just saw the token_required bit and how the read is being conflated with the owners add/remove operation.

I've caught up to you now. It's only the "back half" of the fix, and assumes that we don't throw a TokenMissing when we create the registry.

Thanks for your patience. ❤️ (Sorry, not an expert in this codebase, but you already knew that. 😜)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine merging this as-is. Let me edit the title a bit to reflect that.

Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,7 @@ impl Registry {

fn get(&mut self, path: &str) -> Result<String> {
self.handle.get(true)?;
self.req(path, None, Auth::Authorized)
self.req(path, None, Auth::Unauthorized)
}

fn delete(&mut self, path: &str, b: Option<&[u8]>) -> Result<String> {
Expand Down
Loading