alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(volume-browser): absolute scope with allowlist security

Browse Source 
- Add 'absolute' volume scope for direct host paths (NFS, external mounts)
- Allowlist in settings: allowed_volume_paths (JSON array of prefixes)
- Validation: absolute source must be under an allowed prefix
- Empty allowlist = absolute scope disabled entirely
- Settings API exposes/validates allowed_volume_paths
- Frontend type updated with absolute scope
This commit is contained in:
Admin
2026-04-01 23:31:27 +03:00
parent 0491849f0f
commit 582e7e39e3
8 changed files with 165 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/store/store.go
+2
View File
@@ -88,6 +88,8 @@ func (s *Store) runMigrations() error {
// Add name column and rename mode→scope for volume scopes redesign (2026-03-31).
`ALTER TABLE volumes ADD COLUMN name TEXT NOT NULL DEFAULT ''`,
`ALTER TABLE volumes ADD COLUMN scope TEXT NOT NULL DEFAULT ''`,
// Add allowed_volume_paths to settings for absolute volume scope allowlist (2026-04-01).
`ALTER TABLE settings ADD COLUMN allowed_volume_paths TEXT NOT NULL DEFAULT '[]'`,
}
for _, m := range migrations {