Feature/true private

README.md

@@ -22,7 +22,7 @@ A self-hosted pastebin **powered by Git**. [Try it here](https://opengist.thomic
 
 ## Features
 
-* Create public or unlisted snippets
+* Create public, unlisted or private snippets
 * Clone / Pull / Push snippets **via Git** over HTTP or SSH
 * Revisions history
 * Syntax highlighting ; markdown & CSV support

internal/models/gist.go

@@ -15,7 +15,7 @@ type Gist struct {
 	Preview         string
 	PreviewFilename string
 	Description     string
-	Private         bool
+	Private         int // 0: public, 1: unlisted, 2: private
 	UserID          uint
 	User            User
 	NbFiles         int
@@ -89,7 +89,7 @@ func GetAllGists(offset int) ([]*Gist, error) {
 func GetAllGistsFromSearch(currentUserId uint, query string, offset int, sort string, order string) ([]*Gist, error) {
 	var gists []*Gist
 	err := db.Preload("User").Preload("Forked.User").
-		Where("((gists.private = 0) or (gists.private = 1 and gists.user_id = ?))", currentUserId).
+		Where("((gists.private = 0) or (gists.private > 0 and gists.user_id = ?))", currentUserId).
 		Where("gists.title like ? or gists.description like ?", "%"+query+"%", "%"+query+"%").
 		Limit(11).
 		Offset(offset * 10).
@@ -101,7 +101,7 @@ func GetAllGistsFromSearch(currentUserId uint, query string, offset int, sort st
 
 func gistsFromUserStatement(fromUserId uint, currentUserId uint) *gorm.DB {
 	return db.Preload("User").Preload("Forked.User").
-		Where("((gists.private = 0) or (gists.private = 1 and gists.user_id = ?))", currentUserId).
+		Where("((gists.private = 0) or (gists.private > 0 and gists.user_id = ?))", currentUserId).
 		Where("users.id = ?", fromUserId).
 		Joins("join users on gists.user_id = users.id")
 }
@@ -124,7 +124,7 @@ func CountAllGistsFromUser(fromUserId uint, currentUserId uint) (int64, error) {
 
 func likedStatement(fromUserId uint, currentUserId uint) *gorm.DB {
 	return db.Preload("User").Preload("Forked.User").
-		Where("((gists.private = 0) or (gists.private = 1 and gists.user_id = ?))", currentUserId).
+		Where("((gists.private = 0) or (gists.private > 0 and gists.user_id = ?))", currentUserId).
 		Where("likes.user_id = ?", fromUserId).
 		Joins("join likes on gists.id = likes.gist_id").
 		Joins("join users on likes.user_id = users.id")
@@ -147,7 +147,7 @@ func CountAllGistsLikedByUser(fromUserId uint, currentUserId uint) (int64, error
 
 func forkedStatement(fromUserId uint, currentUserId uint) *gorm.DB {
 	return db.Preload("User").Preload("Forked.User").
-		Where("gists.forked_id is not null and ((gists.private = 0) or (gists.private = 1 and gists.user_id = ?))", currentUserId).
+		Where("gists.forked_id is not null and ((gists.private = 0) or (gists.private > 0 and gists.user_id = ?))", currentUserId).
 		Where("gists.user_id = ?", fromUserId).
 		Joins("join users on gists.user_id = users.id")
 }
@@ -243,7 +243,7 @@ func (gist *Gist) GetForks(currentUserId uint, offset int) ([]*Gist, error) {
 	var gists []*Gist
 	err := db.Model(&gist).Preload("User").
 		Where("forked_id = ?", gist.ID).
-		Where("(gists.private = 0) or (gists.private = 1 and gists.user_id = ?)", currentUserId).
+		Where("(gists.private = 0) or (gists.private > 0 and gists.user_id = ?)", currentUserId).
 		Limit(11).
 		Offset(offset * 10).
 		Order("updated_at desc").
@@ -379,7 +379,7 @@ func (gist *Gist) UpdatePreviewAndCount() error {
 type GistDTO struct {
 	Title       string    `validate:"max=50" form:"title"`
 	Description string    `validate:"max=150" form:"description"`
-	Private     bool      `form:"private"`
+	Private     int       `validate:"number,min=0,max=2" form:"private"`
 	Files       []FileDTO `validate:"min=1,dive"`
 }
 

internal/ssh/git_ssh.go

@@ -42,12 +42,21 @@ func runGitCommand(ch ssh.Channel, gitCmd string, key string, ip string) error {
 		return errors.New("internal server error")
 	}
 
-	if verb == "receive-pack" || requireLogin == "1" {
+	// Check for the key if :
+	// - user wants to push the gist
+	// - user wants to clone a private gist
+	// - gist is not found (obfuscation)
+	// - admin setting to require login is set to true
+	if verb == "receive-pack" ||
+		gist.Private == 2 ||
+		gist.ID == 0 ||
+		requireLogin == "1" {
+
 		pubKey, err := models.SSHKeyExistsForUser(key, gist.UserID)
 		if err != nil {
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				log.Warn().Msg("Invalid SSH authentication attempt from " + ip)
-				return errors.New("unauthorized")
+				return errors.New("gist not found")
 			}
 			errorSsh("Failed to get user by SSH key id", err)
 			return errors.New("internal server error")

internal/web/gist.go

@@ -80,14 +80,30 @@ func gistInit(next echo.HandlerFunc) echo.HandlerFunc {
 			setData(ctx, "hasLiked", hasLiked)
 		}
 
-		if gist.Private {
+		if gist.Private > 0 {
 			setData(ctx, "NoIndex", true)
 		}
 
 		return next(ctx)
 	}
 }
 
+// gistSoftInit try to load a gist (same as gistInit) but does not return a 404 if the gist is not found
+// useful for git clients using HTTP to obfuscate the existence of a private gist
+func gistSoftInit(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(ctx echo.Context) error {
+		userName := ctx.Param("user")
+		gistName := ctx.Param("gistname")
+
+		gistName = strings.TrimSuffix(gistName, ".git")
+
+		gist, _ := models.GetGist(userName, gistName)
+		setData(ctx, "gist", gist)
+
+		return next(ctx)
+	}
+}
+
 func allGists(ctx echo.Context) error {
 	var err error
 	var urlPage string
@@ -400,7 +416,7 @@ func processCreate(ctx echo.Context) error {
 func toggleVisibility(ctx echo.Context) error {
 	var gist = getData(ctx, "gist").(*models.Gist)
 
-	gist.Private = !gist.Private
+	gist.Private = (gist.Private + 1) % 3
 	if err := gist.Update(); err != nil {
 		return errorRes(500, "Error updating this gist", err)
 	}

internal/web/git_http.go

@@ -47,16 +47,23 @@ func gitHttp(ctx echo.Context) error {
 
 			gist := getData(ctx, "gist").(*models.Gist)
 
+			// Shows basic auth if :
+			// - user wants to push the gist
+			// - user wants to clone a private gist
+			// - gist is not found (obfuscation)
+			// - admin setting to require login is set to true
 			noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
 				strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
 				ctx.Request().Method == "GET") &&
+				gist.Private != 2 &&
+				gist.ID != 0 &&
 				!getData(ctx, "RequireLogin").(bool)
 
 			repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
 
 			if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
 				if err != nil {
-					return errorRes(500, "Repository does not exist", err)
+					return errorRes(404, "Repository directory does not exist", err)
 				}
 			}
 
@@ -82,12 +89,16 @@ func gitHttp(ctx echo.Context) error {
 				return basicAuth(ctx)
 			}
 
+			if gist.ID == 0 {
+				return errorRes(404, "Not found", nil)
+			}
+
 			if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
 				if err != nil {
 					return errorRes(500, "Cannot verify password", err)
 				}
 				log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
-				return errorRes(403, "Unauthorized", nil)
+				return errorRes(404, "Not found", nil)
 			}
 
 			return route.handler(ctx)

internal/web/run.go

@@ -30,11 +30,11 @@ var re = regexp.MustCompile("[^a-z0-9]+")
 var fm = template.FuncMap{
 	"split":     strings.Split,
 	"indexByte": strings.IndexByte,
-	"toInt": func(i string) int64 {
-		val, _ := strconv.ParseInt(i, 10, 64)
+	"toInt": func(i string) int {
+		val, _ := strconv.Atoi(i)
 		return val
 	},
-	"inc": func(i int64) int64 {
+	"inc": func(i int) int {
 		return i + 1
 	},
 	"splitGit": func(i string) []string {
@@ -88,6 +88,20 @@ var fm = template.FuncMap{
 		return config.C.ExternalUrl + "/" + manifestEntries[jsfile].File
 	},
 	"defaultAvatar": defaultAvatar,
+	"visibilityStr": func(visibility int, lowercase bool) string {
+		s := "Public"
+		switch visibility {
+		case 1:
+			s = "Unlisted"
+		case 2:
+			s = "Private"
+		}
+
+		if lowercase {
+			return strings.ToLower(s)
+		}
+		return s
+	},
 }
 
 var EmbedFS fs.FS
@@ -226,7 +240,7 @@ func Start() {
 	debugStr := ""
 	// Git HTTP routes
 	if config.C.HttpGit {
-		e.Any("/:user/:gistname/*", gitHttp, gistInit)
+		e.Any("/:user/:gistname/*", gitHttp, gistSoftInit)
 		debugStr = " (with Git over HTTP)"
 	}
 

public/main.ts

@@ -183,4 +183,20 @@ document.addEventListener('DOMContentLoaded', () => {
             });
         };
     });
+
+    const gistmenuvisibility = document.getElementById('gist-menu-visibility');
+    if (gistmenuvisibility) {
+        let submitgistbutton = (document.getElementById('submit-gist') as HTMLInputElement);
+        document.getElementById('gist-visibility-menu-button')!.onclick = () => {
+            console.log("z");
+            gistmenuvisibility!.classList.toggle('hidden');
+        }
+        Array.from(document.querySelectorAll('.gist-visibility-option')).forEach((el) => {
+            (el as HTMLElement).onclick = () => {
+                submitgistbutton.textContent = "Create " + el.textContent.toLowerCase() + " gist";
+                submitgistbutton!.value = (el as HTMLElement).dataset.visibility || '0';
+                gistmenuvisibility!.classList.add('hidden');
+            }
+        });
+    }
 });

templates/base/gist_header.html

@@ -92,8 +92,7 @@ <h1 class="text-2xl font-bold leading-tight break-all">
             <p class="mt-1 max-w-2xl text-sm text-slate-500">Forked from <a href="{{ $.c.ExternalUrl }}/{{ .gist.Forked.User.Username }}/{{ .gist.Forked.Uuid }}">{{ .gist.Forked.User.Username }}/{{ .gist.Forked.Title }}</a></p>
         {{ end }}
         <p class="mt-1 max-w-2xl text-sm text-slate-500">Last active <span class="moment-timestamp"> {{ .gist.UpdatedAt }} </span>
-            {{ if .gist.Private }} • <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-slate-700 dark:text-slate-300"> Unlisted </span>{{ end }}
-
+            {{ if .gist.Private }} • <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-slate-700 dark:text-slate-300"> {{ visibilityStr .gist.Private false }} </span>{{ end }}
         </p>
         <p class="mt-3 max-w-2xl text-slate-700 dark:text-slate-300">{{ .gist.Description }}</p>
     </header>

templates/pages/all.html

@@ -137,7 +137,7 @@ <h4 class="text-md leading-tight break-all py-1 flex-auto">
                         </div>
                         <h5 class="text-sm text-slate-500 pb-1">Last active <span class="moment-timestamp">{{ $gist.UpdatedAt }}</span>
                             {{ if $gist.Forked }} • Forked from <a href="{{ $.c.ExternalUrl }}/{{ $gist.Forked.User.Username }}/{{ $gist.Forked.Uuid }}">{{ $gist.Forked.User.Username }}/{{ $gist.Forked.Title }}</a> {{ end }}
-                            {{ if $gist.Private }} • <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-slate-700 dark:text-slate-300"> Unlisted </span>{{ end }}</h5>
+                            {{ if $gist.Private }} • <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-slate-700 dark:text-slate-300"> {{ visibilityStr $gist.Private false }} </span>{{ end }}</h5>
                         <h5 class="text-xs text-slate-700 dark:text-slate-300 py-1">{{ $gist.Description }}</h5>
                         <a href="{{ $.c.ExternalUrl }}/{{ $gist.User.Username }}/{{ $gist.Uuid }}" class="text-slate-700 dark:text-slate-300">
                             <div class="rounded-md border border-1 border-gray-200 dark:border-gray-700 overflow-auto hover:border-primary-600">

templates/pages/create.html

@@ -56,8 +56,25 @@ <h1 class="text-2xl font-bold leading-tight text-slate-700 dark:text-slate-300">
 
             <div class="flex">
                 <button type="button" id="add-file" class="inline-flex items-center px-4 py-2 border border-transparent border-gray-200 dark:border-gray-700 text-sm font-medium rounded-md shadow-sm text-gray-700 dark:text-white bg-gray-100 dark:bg-gray-600 hover:bg-gray-200 dark:hover:bg-gray-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-gray-500">Add file</button>
-                <button type="submit" name="private" value="1" class="ml-auto inline-flex items-center px-4 py-2 border border-transparent border-gray-200 dark:border-gray-700 text-sm font-medium rounded-md shadow-sm text-gray-700 dark:text-white bg-gray-100 dark:bg-gray-600 hover:bg-gray-200 dark:hover:bg-gray-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-gray-500">Create unlisted gist</button>
-                <button type="submit" name="private" value="0" class="ml-2 inline-flex items-center px-4 py-2 border border-transparent border-gray-200 dark:border-gray-700 text-sm font-medium rounded-md shadow-sm text-white dark:text-white bg-primary-500 hover:bg-primary-600 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500">Create public gist</button>
+
+                <div class="ml-auto inline-flex ">
+                    <button id="submit-gist" type="submit" name="private" value="0" class="ml-2 items-center px-4 py-2 border border-transparent border-primary-200 dark:border-primary-700 text-sm font-medium rounded-l-md shadow-sm text-white dark:text-white bg-primary-500 hover:bg-primary-600 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500 z-20">Create public gist</button>
+                    <div class="relative -ml-px block">
+                        <button type="button" class="relative inline-flex items-center rounded-r-md bg-primary-500 hover:bg-primary-600 px-2 py-2 text-gray-400 border border-transparent border-primary-200 dark:border-primary-700 focus:z-10" id="gist-visibility-menu-button">
+                            <span class="sr-only">Open options</span>
+                            <svg class="h-5 w-5" viewBox="0 0 20 20" fill="white" aria-hidden="true">
+                                <path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd" />
+                            </svg>
+                        </button>
+                        <div id="gist-menu-visibility" class="hidden absolute right-0 z-10 mt-2 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none" role="menu" aria-orientation="vertical" aria-labelledby="gist-visibility-menu-button">
+                            <div class="rounded-md dark:bg-gray-800 bg-white shadow-lg ring-1 ring-gray-50 dark:ring-gray-700 focus:outline-none" role="none">
+                                <span class="text-gray-700 block px-4 py-2 text-sm cursor-pointer dark:text-slate-300 hover:text-slate-500 dark:hover:text-slate-400 gist-visibility-option" data-visibility="0" role="menuitem">Public</span>
+                                <span class="text-gray-700 block px-4 py-2 text-sm cursor-pointer dark:text-slate-300 hover:text-slate-500 dark:hover:text-slate-400 gist-visibility-option" data-visibility="1" role="menuitem">Unlisted</span>
+                                <span class="text-gray-700 block px-4 py-2 text-sm cursor-pointer dark:text-slate-300 hover:text-slate-500 dark:hover:text-slate-400 gist-visibility-option" data-visibility="2" role="menuitem">Private</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
             </div>
             {{ .csrfHtml }}
         </form>

templates/pages/edit.html

@@ -11,18 +11,17 @@ <h1 class="text-2xl font-bold leading-tight text-slate-700 dark:text-slate-300">
                 <form id="visibility" class="flex items-center whitespace-nowrap" method="post" action="/{{ .gist.User.Username }}/{{ .gist.Uuid }}/visibility">
                     {{ .csrfHtml }}
                     <button type="submit" class="ml-auto relative inline-flex items-center space-x-2 rounded-md border border-gray-200 dark:border-gray-600 bg-gray-50 dark:bg-gray-800 px-2 py-1.5 text-xs font-medium text-slate-700 dark:text-slate-300 hover:bg-gray-100 dark:hover:bg-gray-700 hover:border-gray-500 hover:text-slate-700 dark:hover:text-slate-300 focus:border-primary-500 focus:outline-none focus:ring-1 focus:ring-primary-500 leading-3">
-                        {{ if .gist.Private }}
-                        <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-                            <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
-                            <path stroke-linecap="round" stroke-linejoin="round" d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" />
-                        </svg>
-                        Make public
+                        {{ if eq .gist.Private 2 }}
+                            <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+                                <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
+                                <path stroke-linecap="round" stroke-linejoin="round" d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" />
+                            </svg>
                         {{ else }}
-                        <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
-                            <path stroke-linecap="round" stroke-linejoin="round" d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.88 9.88l-3.29-3.29m7.532 7.532l3.29 3.29M3 3l3.59 3.59m0 0A9.953 9.953 0 0112 5c4.478 0 8.268 2.943 9.543 7a10.025 10.025 0 01-4.132 5.411m0 0L21 21" />
-                        </svg>
-                        Make unlisted
+                            <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+                                <path stroke-linecap="round" stroke-linejoin="round" d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.88 9.88l-3.29-3.29m7.532 7.532l3.29 3.29M3 3l3.59 3.59m0 0A9.953 9.953 0 0112 5c4.478 0 8.268 2.943 9.543 7a10.025 10.025 0 01-4.132 5.411m0 0L21 21" />
+                            </svg>
                         {{ end }}
+                        Make {{ visibilityStr (inc .gist.Private) true }}
                     </button>
                 </form>
                 <form id="delete" onsubmit="return confirm('Are you sure you want to delete this gist ?')" class="ml-2 flex items-center" method="post" action="/{{ .gist.User.Username }}/{{ .gist.Uuid }}/delete">