diff options
| author | Asher Gomez <ashersaupingomez@gmail.com> | 2023-08-03 21:19:19 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-03 13:19:19 +0200 |
| commit | 6fb7e8d93bb9fd8cdd81130a394ae6061930c4f6 (patch) | |
| tree | 2ec6dc2be234ef5a42023c1d75f1fc1316d80f06 /ext/fs | |
| parent | db287e216dd752bfcb3484cbfd93225e8463c363 (diff) | |
feat(permissions): add "--deny-*" flags (#19070)
This commit adds new "--deny-*" permission flags. These are complimentary to
"--allow-*" flags.
These flags can be used to restrict access to certain resources, even if they
were granted using "--allow-*" flags or the "--allow-all" ("-A") flag.
Eg. specifying "--allow-read --deny-read" will result in a permission error,
while "--allow-read --deny-read=/etc" will allow read access to all FS but the
"/etc" directory.
Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly
by adding, a new "PermissionStatus.partial" field. This field denotes that
while permission might be granted to requested resource, it's only partial (ie.
a "--deny-*" flag was specified that excludes some of the requested resources).
Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for
permissions like "Deno.permissions.query({ name: "read", path: "foo/" })"
will return "PermissionStatus { state: "granted", onchange: null, partial: true }",
denoting that some of the subpaths don't have read access.
Closes #18804.
---------
Co-authored-by: Bartek IwaĆczuk <biwanczuk@gmail.com>
Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
Diffstat (limited to 'ext/fs')
| -rw-r--r-- | ext/fs/lib.rs | 14 | ||||
| -rw-r--r-- | ext/fs/ops.rs | 13 |
2 files changed, 22 insertions, 5 deletions
diff --git a/ext/fs/lib.rs b/ext/fs/lib.rs index d27712927..b028b12c1 100644 --- a/ext/fs/lib.rs +++ b/ext/fs/lib.rs @@ -23,7 +23,8 @@ use std::path::Path; use std::rc::Rc; pub trait FsPermissions { - fn check_read(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError>; + fn check_read(&mut self, path: &Path, api_name: &str) + -> Result<(), AnyError>; fn check_read_all(&mut self, api_name: &str) -> Result<(), AnyError>; fn check_read_blind( &mut self, @@ -31,7 +32,16 @@ pub trait FsPermissions { display: &str, api_name: &str, ) -> Result<(), AnyError>; - fn check_write(&mut self, p: &Path, api_name: &str) -> Result<(), AnyError>; + fn check_write( + &mut self, + path: &Path, + api_name: &str, + ) -> Result<(), AnyError>; + fn check_write_partial( + &mut self, + path: &Path, + api_name: &str, + ) -> Result<(), AnyError>; fn check_write_all(&mut self, api_name: &str) -> Result<(), AnyError>; fn check_write_blind( &mut self, diff --git a/ext/fs/ops.rs b/ext/fs/ops.rs index 083d1b15f..da52318a4 100644 --- a/ext/fs/ops.rs +++ b/ext/fs/ops.rs @@ -294,9 +294,16 @@ where let fs = { let mut state = state.borrow_mut(); - state - .borrow_mut::<P>() - .check_write(&path, "Deno.remove()")?; + if recursive { + state + .borrow_mut::<P>() + .check_write(&path, "Deno.remove()")?; + } else { + state + .borrow_mut::<P>() + .check_write_partial(&path, "Deno.remove()")?; + } + state.borrow::<FileSystemRc>().clone() }; |