Unauthenticated package metadata access

[xelan]

Thanks for your great work of continuing the open-source packagist app. Is there a way to allow package metadata read access without authentication (for all or for specific packages)?

[vtsykun]

Yes you can do it, but for it need to made a fork and update security.yml here https://github.com/vtsykun/packeton/blob/master/app/config/security.yml#L52

[xelan]

Great, thank you very much for your feedback @vtsykun :+1: So we'd need to change ROLE_USER to IS_AUTHENTICATED_ANONYMOUSLY in that path rule (e.g. by patching security.yml during deployment) and it should already work?

Best regards Andreas

[vtsykun]

Hi @xelan Yes. Please notes that zipball path used for download package code from dist. If you need read-only access to the package metadata, you can split this rule in two

         - { path: (^(/packages.json$|/p/))+, role: IS_AUTHENTICATED_ANONYMOUSLY } # metadata read access
         - { path: (^(/zipball/|/downloads/))+, role: ROLE_USER } # *.zip download

[xelan]

Sounds great, thanks! I'll try that :smile:

[roelandg]

Hi @xelan Yes. Please notes that zipball path used for download package code from dist. If you need read-only access to the package metadata, you can split this rule in two

         - { path: (^(/packages.json$|/p/))+, role: IS_AUTHENTICATED_ANONYMOUSLY } # metadata read access
         - { path: (^(/zipball/|/downloads/))+, role: ROLE_USER } # *.zip download

Hi @vtsykun I tried your suggestion, however still got an "authorization Required" on /packages.json.

Any idea? Thanks! Btw, compliments for this nice fork!

For the complete picture, I now have this security.yml:

    access_control:
        # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
        - { path: ^/_wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/_profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # AsseticBundle paths used when using the controller for assets
        - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # URL of FOSUserBundle which need to be available to anonymous users
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting/, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Packagist
        - { path: (^(/change-password|/profile/|/search|/logout|/packages/|/versions/))+, role: ROLE_USER }

        - { path: (^(/packages.json$|/p/))+, role: IS_AUTHENTICATED_ANONYMOUSLY } # metadata read access
        - { path: (^(/zipball/|/downloads/))+, role: ROLE_USER } # *.zip download

        - { path: (^(/api/webhook-invoke/))+, role: ROLE_USER }
        - { path: (^(/api/(create-package|update-package|github|bitbucket)))$, role: ROLE_MAINTAINER }
        - { path: ^/$, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Maintainers
        - { path: (^(/users/(.+)/packages))+, role: ROLE_MAINTAINER }
        - { path: (^(/users/(.+)/favorites))+, role: ROLE_MAINTAINER }
        - { path: (^(/explore|/jobs/))+, role: ROLE_MAINTAINER }

        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^.*$, role: ROLE_ADMIN }

[roelandg]

@vtsykun Nevermind. I figured, I had to allow anonymous access by altering the PackageController.

[anebi]

Hello,

@vtsykun may I ask you what exactly you changed in PakageController? I am looking to enable annonymouse access for packages too.

Thank you!