A way to disable plugin installation via ACP?
-
Is there a way to configure a NodeBB instance so that plugins cannot be installed via the ACP? The other settings can be changed to disrupt the forum, but installing a malicious plugin could damage the server itself (and even Docker is not completely protective).
Thanks! -
We could add a flag into config.json to disable installing plugins from the acp. And check that flag in
Plugins.toggleInstallinsrc/socket.io/admin/plugins.js. For now you can just throw an error in that function.Plugins.toggleInstall = async function (socket, data) { throw new Error('[[error:plugin-installs-disabled]]'); // <-add this postsCache.reset(); await plugins.checkWhitelist(data.id, data.version); const pluginData = await plugins.toggleInstall(data.id, data.version); await events.log({ type: `plugin-${pluginData.installed ? 'install' : 'uninstall'}`, text: data.id, version: data.version, uid: socket.uid, }); return pluginData; }; -
@baris Thanks, do you want me to create a PR for this?
-
@josef sure, PR's are welcome. Make sure to send a PR to the docs as well to add it https://docs.nodebb.org/configuring/config/ the page is at https://github.com/NodeBB/docs/blob/master/src/docs/configuring/config.md.
-
@josef mm the whole idea is your admins should be trusted users
-
@julian said in A way to disable plugin installation via ACP?:
> @josef mm the whole idea is your admins should be trusted usersTrusted people can do stupid things
Just because I let someone change the forum settings doesn't mean I want them to be able to run code on my server
