A way to disable plugin installation via ACP?
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)...
Thanks! -
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)...
Thanks!We could add a flag into config.json to disable installing plugins from the acp. And check that flag in
Plugins.toggleInstallinsrc/socket.io/admin/plugins.js. For now you can just throw an error in that function.Plugins.toggleInstall = async function (socket, data) { throw new Error('[[error:plugin-installs-disabled]]'); // <-add this postsCache.reset(); await plugins.checkWhitelist(data.id, data.version); const pluginData = await plugins.toggleInstall(data.id, data.version); await events.log({ type: `plugin-${pluginData.installed ? 'install' : 'uninstall'}`, text: data.id, version: data.version, uid: socket.uid, }); return pluginData; }; -
We could add a flag into config.json to disable installing plugins from the acp. And check that flag in
Plugins.toggleInstallinsrc/socket.io/admin/plugins.js. For now you can just throw an error in that function.Plugins.toggleInstall = async function (socket, data) { throw new Error('[[error:plugin-installs-disabled]]'); // <-add this postsCache.reset(); await plugins.checkWhitelist(data.id, data.version); const pluginData = await plugins.toggleInstall(data.id, data.version); await events.log({ type: `plugin-${pluginData.installed ? 'install' : 'uninstall'}`, text: data.id, version: data.version, uid: socket.uid, }); return pluginData; };@baris Thanks, do you want me to create a PR for this?
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)...
Thanks!@josef sure, PR's are welcome. Make sure to send a PR to the docs as well to add it to https://docs.nodebb.org/configuring/config/. The page is at https://github.com/NodeBB/docs/blob/master/src/docs/configuring/config.md.
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective)...
Thanks!@josef mm the whole idea is your admins should be trusted users
