A forum for discussing and organizing recreational softball and baseball games and leagues in the greater Halifax area.
A way to disable plugin installation via ACP?
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)... Thanks!
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)... Thanks!We could add a flag into config.json to disable installing plugins from the acp. And check that flag in `Plugins.toggleInstall` in `src/socket.io/admin/plugins.js`. For now you can just throw an error in that function. ``` Plugins.toggleInstall = async function (socket, data) { throw new Error('[[error:plugin-installs-disabled]]'); // <-add this postsCache.reset(); await plugins.checkWhitelist(data.id, data.version); const pluginData = await plugins.toggleInstall(data.id, data.version); await events.log({ type: `plugin-${pluginData.installed ? 'install' : 'uninstall'}`, text: data.id, version: data.version, uid: socket.uid, }); return pluginData; }; ```
-
We could add a flag into config.json to disable installing plugins from the acp. And check that flag in `Plugins.toggleInstall` in `src/socket.io/admin/plugins.js`. For now you can just throw an error in that function. ``` Plugins.toggleInstall = async function (socket, data) { throw new Error('[[error:plugin-installs-disabled]]'); // <-add this postsCache.reset(); await plugins.checkWhitelist(data.id, data.version); const pluginData = await plugins.toggleInstall(data.id, data.version); await events.log({ type: `plugin-${pluginData.installed ? 'install' : 'uninstall'}`, text: data.id, version: data.version, uid: socket.uid, }); return pluginData; }; ```[@baris](https://community.nodebb.org/user/baris) Thanks, do you want me to create a PR for this?
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)... Thanks sure, PR's are welcome. Make sure to send a PR to the docs as well to add it to https://docs.nodebb.org/configuring/config/. The page is at https://github.com/NodeBB/docs/blob/master/src/docs/configuring/config.md.
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)... Thanks mm the whole idea is your admins should be trusted users
-
[@josef](https://community.nodebb.org/user/josef) mm the whole idea is your admins should be trusted users[@julian](https://community.nodebb.org/user/julian) said in [A way to disable plugin installation via ACP?](https://community.nodebb.org/post/103438): > [@josef](https://community.nodebb.org/user/josef) mm the whole idea is your admins should be trusted users
Trusted people can do stupid things
Also just because I let someone change the forum settings doesn't mean I want them to be able to run code on my server
-
[@josef](https://community.nodebb.org/user/josef) sure, PR's are welcome. Make sure to send a PR to the docs as well to add it to https://docs.nodebb.org/configuring/config/. The page is at https://github.com/NodeBB/docs/blob/master/src/docs/configuring/config.md.[@baris](https://community.nodebb.org/user/baris) https://github.com/NodeBB/NodeBB/pull/13189
