vrr/navidrome
2
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2026-04-28 03:19:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
navidrome/persistence/plugin_repository.go
Deluan Quintão d9a215e1e3
Some checks are pending
Pipeline: Test, Lint, Build / Upload Linux PKG (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Get version info (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Lint Go code (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Test Go code (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Test JS code (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Lint i18n files (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Check Docker configuration (push) Waiting to run
Details
Pipeline: Test, Lint, Build / Build (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-1 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-2 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-3 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-4 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-5 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-6 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-7 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-8 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-9 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build-10 (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Push to GHCR (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Push to Docker Hub (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Cleanup digest artifacts (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Build Windows installers (push) Blocked by required conditions
Details
Pipeline: Test, Lint, Build / Package/Release (push) Blocked by required conditions
Details
POEditor export / push-translations (push) Waiting to run
Details
feat(plugins): allow mounting library directories as read-write (#5122) 
* feat(plugins): mount library directories as read-only by default

Add an AllowWriteAccess boolean to the plugin model, defaulting to
false. When off, library directories are mounted with the extism "ro:"
prefix (read-only). Admins can explicitly grant write access via a new
toggle in the Library Permission card.

* test: add tests to buildAllowedPaths

Signed-off-by: Deluan <deluan@navidrome.org>

* chore: improve allowed paths logging for library access

Signed-off-by: Deluan <deluan@navidrome.org>

---------

Signed-off-by: Deluan <deluan@navidrome.org>
2026-02-28 10:59:13 -05:00

163 lines
4.3 KiB
Go
Raw Blame History

package persistence
import (
"context"
"errors"
"time"
. "github.com/Masterminds/squirrel"
"github.com/deluan/rest"
"github.com/navidrome/navidrome/model"
"github.com/pocketbase/dbx"
)
type pluginRepository struct {
sqlRepository
}
func NewPluginRepository(ctx context.Context, db dbx.Builder) model.PluginRepository {
r := &pluginRepository{}
r.ctx = ctx
r.db = db
r.registerModel(&model.Plugin{}, map[string]filterFunc{
"id": idFilter("plugin"),
"enabled": booleanFilter,
})
return r
}
func (r *pluginRepository) isPermitted() bool {
user := loggedUser(r.ctx)
return user.IsAdmin
}
func (r *pluginRepository) CountAll(options ...model.QueryOptions) (int64, error) {
if !r.isPermitted() {
return 0, rest.ErrPermissionDenied
}
sql := r.newSelect()
return r.count(sql, options...)
}
func (r *pluginRepository) Delete(id string) error {
if !r.isPermitted() {
return rest.ErrPermissionDenied
}
return r.delete(Eq{"id": id})
}
func (r *pluginRepository) Get(id string) (*model.Plugin, error) {
if !r.isPermitted() {
return nil, rest.ErrPermissionDenied
}
sel := r.newSelect().Where(Eq{"id": id}).Columns("*")
res := model.Plugin{}
err := r.queryOne(sel, &res)
return &res, err
}
func (r *pluginRepository) GetAll(options ...model.QueryOptions) (model.Plugins, error) {
if !r.isPermitted() {
return nil, rest.ErrPermissionDenied
}
sel := r.newSelect(options...).Columns("*")
res := model.Plugins{}
err := r.queryAll(sel, &res)
return res, err
}
func (r *pluginRepository) Put(plugin *model.Plugin) error {
if !r.isPermitted() {
return rest.ErrPermissionDenied
}
plugin.UpdatedAt = time.Now()
if plugin.ID == "" {
return errors.New("plugin ID cannot be empty")
}
// Upsert using INSERT ... ON CONFLICT for atomic operation
_, err := r.db.NewQuery(`
INSERT INTO plugin (id, path, manifest, config, users, all_users, libraries, all_libraries, allow_write_access, enabled, last_error, sha256, created_at, updated_at)
VALUES ({:id}, {:path}, {:manifest}, {:config}, {:users}, {:all_users}, {:libraries}, {:all_libraries}, {:allow_write_access}, {:enabled}, {:last_error}, {:sha256}, {:created_at}, {:updated_at})
ON CONFLICT(id) DO UPDATE SET
path = excluded.path,
manifest = excluded.manifest,
config = excluded.config,
users = excluded.users,
all_users = excluded.all_users,
libraries = excluded.libraries,
all_libraries = excluded.all_libraries,
allow_write_access = excluded.allow_write_access,
enabled = excluded.enabled,
last_error = excluded.last_error,
sha256 = excluded.sha256,
updated_at = excluded.updated_at
`).Bind(dbx.Params{
"id": plugin.ID,
"path": plugin.Path,
"manifest": plugin.Manifest,
"config": plugin.Config,
"users": plugin.Users,
"all_users": plugin.AllUsers,
"libraries": plugin.Libraries,
"all_libraries": plugin.AllLibraries,
"allow_write_access": plugin.AllowWriteAccess,
"enabled": plugin.Enabled,
"last_error": plugin.LastError,
"sha256": plugin.SHA256,
"created_at": time.Now(),
"updated_at": plugin.UpdatedAt,
}).Execute()
return err
}
func (r *pluginRepository) Count(options ...rest.QueryOptions) (int64, error) {
return r.CountAll(r.parseRestOptions(r.ctx, options...))
}
func (r *pluginRepository) EntityName() string {
return "plugin"
}
func (r *pluginRepository) NewInstance() any {
return &model.Plugin{}
}
func (r *pluginRepository) Read(id string) (any, error) {
return r.Get(id)
}
func (r *pluginRepository) ReadAll(options ...rest.QueryOptions) (any, error) {
return r.GetAll(r.parseRestOptions(r.ctx, options...))
}
func (r *pluginRepository) Save(entity any) (string, error) {
p := entity.(*model.Plugin)
if !r.isPermitted() {
return "", rest.ErrPermissionDenied
}
err := r.Put(p)
if errors.Is(err, model.ErrNotFound) {
return "", rest.ErrNotFound
}
return p.ID, err
}
func (r *pluginRepository) Update(id string, entity any, cols ...string) error {
p := entity.(*model.Plugin)
p.ID = id
if !r.isPermitted() {
return rest.ErrPermissionDenied
}
err := r.Put(p)
if errors.Is(err, model.ErrNotFound) {
return rest.ErrNotFound
}
return err
}
var _ model.PluginRepository = (*pluginRepository)(nil)
var _ rest.Repository = (*pluginRepository)(nil)
var _ rest.Persistable = (*pluginRepository)(nil)
Reference in a new issue View git blame Copy permalink