diff --git a/README.md b/README.md index c8520202..16bfb15f 100644 --- a/README.md +++ b/README.md @@ -513,6 +513,8 @@ examples: * replacing the `g` permission with `wg` would let anonymous users upload files, but not see the required filekey to access it * replacing the `g` permission with `wG` would let anonymous users upload files, receiving a working direct link in return +if you want to grant access to all users who are logged in, the group `acct` will always contain all known users, so for example `-v /mnt/music:music:r,@acct` + anyone trying to bruteforce a password gets banned according to `--ban-pw`; default is 24h ban for 9 failed attempts in 1 hour and if you want to use config files instead of commandline args (good!) then here's the same examples as a configfile; save it as `foobar.conf` and use it like this: `python copyparty-sfx.py -c foobar.conf` @@ -538,6 +540,7 @@ and if you want to use config files instead of commandline args (good!) then her accs: r: u1, u2 # only these accounts can read, r: @g1 # (exactly the same, just with a group instead) + r: @acct # (alternatively, ALL users who are logged in) rw: u3 # and only u3 can read-write [/inc] diff --git a/copyparty/__main__.py b/copyparty/__main__.py index 22e219a7..38f786d8 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -609,6 +609,9 @@ def get_sects(): if no accounts or volumes are configured, current folder will be read/write for everyone + the group @acct will always have every user with an account + (the name of that group can be changed with --grp-all) + consider the config file for more flexible account/volume management, including dynamic reload at runtime (and being more readable w) """ @@ -1163,6 +1166,7 @@ def add_auth(ap): ap2.add_argument("--ses-db", metavar="PATH", type=u, default=ses_db, help="where to store the sessions database (if you run multiple copyparty instances, make sure they use different DBs)") ap2.add_argument("--ses-len", metavar="CHARS", type=int, default=20, help="session key length; default is 120 bits ((20//4)*4*6)") ap2.add_argument("--no-ses", action="store_true", help="disable sessions; use plaintext passwords in cookies") + ap2.add_argument("--grp-all", metavar="NAME", type=u, default="acct", help="the name of the auto-generated group which contains every username which is known") ap2.add_argument("--ipu", metavar="CIDR=USR", type=u, action="append", help="\033[34mREPEATABLE:\033[0m users with IP matching \033[33mCIDR\033[0m are auto-authenticated as username \033[33mUSR\033[0m; example: [\033[32m172.16.24.0/24=dave]") diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py index 0f1c94f9..3bea55c8 100644 --- a/copyparty/authsrv.py +++ b/copyparty/authsrv.py @@ -1099,6 +1099,9 @@ class AuthSrv(object): if rejected: continue + if gn == self.args.grp_all: + gn = "" + # if ap/vp has a user/group placeholder, make sure to keep # track so the same user/group is mapped when setting perms; # otherwise clear un/gn to indicate it's a regular volume @@ -1208,6 +1211,7 @@ class AuthSrv(object): self.load_idp_db(bool(self.idp_accs)) ret = {un: gns[:] for un, gns in self.idp_accs.items()} ret.update({zs: [""] for zs in acct if zs not in ret}) + grps[self.args.grp_all] = list(ret.keys()) for gn, uns in grps.items(): for un in uns: try: diff --git a/tests/util.py b/tests/util.py index bbd0b215..16c75e92 100644 --- a/tests/util.py +++ b/tests/util.py @@ -185,9 +185,12 @@ class Cfg(Namespace): E=E, bup_ck="sha512", chmod_d="755", + cookie_cmax=8192, + cookie_nmax=50, dbd="wal", dk_salt="b" * 16, fk_salt="a" * 16, + grp_all="acct", idp_gsep=re.compile("[|:;+,]"), iobuf=256 * 1024, lang="eng",