hfs 0.48.3 → 0.49.0-alpha2

package/src/misc.js

@@ -18,20 +18,21 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.apiAssertTypes = exports.AsapStream = exports.asyncGeneratorToReadable = exports.stream2string = exports.same = exports.matches = exports.makeMatcher = exports.makeNetMatcher = exports.isLocalHost = exports.onOff = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = exports.debounceAsync = void 0;
+exports.apiAssertTypes = exports.AsapStream = exports.asyncGeneratorToReadable = exports.stream2string = exports.same = exports.matches = exports.makeMatcher = exports.makeNetMatcher = exports.isLocalHost = exports.onOff = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = void 0;
 const path_1 = require("path");
 const lodash_1 = __importDefault(require("lodash"));
 const assert_1 = __importDefault(require("assert"));
 __exportStar(require("./util-http"), exports);
 __exportStar(require("./util-files"), exports);
 __exportStar(require("./cross"), exports);
+__exportStar(require("./debounceAsync"), exports);
 const stream_1 = require("stream");
 const micromatch_1 = require("micromatch");
 const node_net_1 = require("node:net");
-const debounceAsync_1 = __importDefault(require("./debounceAsync"));
-exports.debounceAsync = debounceAsync_1.default;
 const apiMiddleware_1 = require("./apiMiddleware");
 const const_1 = require("./const");
+const cross_1 = require("./cross");
+const net_1 = require("net");
 const cbs = new Set();
 function onProcessExit(cb) {
     cbs.add(cb);
@@ -70,7 +71,7 @@ function onOff(em, events) {
 exports.onOff = onOff;
 function isLocalHost(c) {
     const ip = typeof c === 'string' ? c : c.socket.remoteAddress; // don't use Context.ip as it is subject to proxied ips, and that's no use for localhost detection
-    return ip && (ip === '::1' || ip.endsWith('127.0.0.1'));
+    return ip && (0, cross_1.ipLocalHost)(ip);
 }
 exports.isLocalHost = isLocalHost;
 function makeNetMatcher(mask, emptyMaskReturns = false) {
@@ -102,7 +103,7 @@ function makeNetMatcher(mask, emptyMaskReturns = false) {
 }
 exports.makeNetMatcher = makeNetMatcher;
 function parseAddress(s) {
-    return new node_net_1.SocketAddress({ address: s, family: s.includes(':') ? 'ipv6' : 'ipv4' });
+    return new node_net_1.SocketAddress({ address: s, family: (0, net_1.isIPv6)(s) ? 'ipv6' : 'ipv4' });
 }
 function makeMatcher(mask, emptyMaskReturns = false) {
     return mask ? (0, micromatch_1.matcher)(mask.replace(/^(!)?/, '$1(') + ')') // adding () will allow us to use the pipe at root level

package/src/perm.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.accountsConfig = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = void 0;
+exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.accountsConfig = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.expandUsername = exports.getCurrentUsername = void 0;
 const lodash_1 = __importDefault(require("lodash"));
 const crypt_1 = require("./crypt");
 const misc_1 = require("./misc");
@@ -18,19 +18,20 @@ function getCurrentUsername(ctx) {
 }
 exports.getCurrentUsername = getCurrentUsername;
 // provides the username and all other usernames it inherits based on the 'belongs' attribute. Useful to check permissions
-function getCurrentUsernameExpanded(ctx) {
-    const who = getCurrentUsername(ctx);
-    if (!who)
-        return [];
-    const ret = [who];
-    for (const u of ret) {
+function expandUsername(who) {
+    const ret = [];
+    const q = [who];
+    for (const u of q) {
         const a = getAccount(u);
-        if (a === null || a === void 0 ? void 0 : a.belongs)
-            ret.push(...a.belongs);
+        if (!a || a.disabled)
+            continue;
+        ret.push(u);
+        if (a.belongs)
+            q.push(...a.belongs);
     }
     return ret;
 }
-exports.getCurrentUsernameExpanded = getCurrentUsernameExpanded;
+exports.expandUsername = expandUsername;
 function getAccount(username, normalize = true) {
     if (normalize)
         username = normalizeUsername(username);
@@ -116,7 +117,7 @@ function renameAccount(from, to) {
 }
 exports.renameAccount = renameAccount;
 // we consider all the following fields, when falsy, as equivalent to be missing. If this changes in the future, please adjust addAccount and setAccount
-const assignableProps = ['redirect', 'ignore_limits', 'belongs', 'admin'];
+const assignableProps = ['redirect', 'ignore_limits', 'belongs', 'admin', 'disabled'];
 function addAccount(username, props) {
     username = normalizeUsername(username);
     if (!username || getAccount(username, false))
@@ -133,6 +134,8 @@ function setAccount(acc, changes) {
         if (!v)
             rest[k] = undefined;
     Object.assign(acc, rest);
+    if (!acc.disabled)
+        delete acc.disabled;
     if (changes.username)
         renameAccount(acc.username, changes.username);
     saveAccountsAsap();
@@ -167,9 +170,13 @@ function accountHasPassword(account) {
 }
 exports.accountHasPassword = accountHasPassword;
 function accountCanLogin(account) {
-    return accountHasPassword(account);
+    return accountHasPassword(account) && !allDisabled(account);
 }
 exports.accountCanLogin = accountCanLogin;
+function allDisabled(account) {
+    var _a;
+    return Boolean(account.disabled || ((_a = account.belongs) === null || _a === void 0 ? void 0 : _a.map(u => getAccount(u, false)).every(a => a && allDisabled(a))));
+}
 function accountCanLoginAdmin(account) {
     return accountCanLogin(account) && Boolean(getFromAccount(account, a => a.admin));
 }

package/src/plugins.js

@@ -27,7 +27,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parsePluginSource = exports.rescan = exports.pluginsConfig = exports.enablePlugins = exports.pluginsWatcher = exports.getAvailablePlugins = exports.Plugin = exports.pluginsMiddleware = exports.getPluginConfigFields = exports.findPluginByRepo = exports.mapPlugins = exports.getPluginInfo = exports.setPluginConfig = exports.startPlugin = exports.stopPlugin = exports.enablePlugin = exports.isPluginEnabled = exports.isPluginRunning = exports.STORAGE_FOLDER = exports.DISABLING_POSTFIX = exports.PATH = void 0;
+exports.getMissingDependencies = exports.parsePluginSource = exports.rescan = exports.pluginsConfig = exports.enablePlugins = exports.pluginsWatcher = exports.getAvailablePlugins = exports.mapPlugins = exports.Plugin = exports.pluginsMiddleware = exports.getPluginConfigFields = exports.findPluginByRepo = exports.getPluginInfo = exports.setPluginConfig = exports.startPlugin = exports.stopPlugin = exports.enablePlugin = exports.isPluginEnabled = exports.isPluginRunning = exports.STORAGE_FOLDER = exports.DISABLING_POSTFIX = exports.PATH = void 0;
 const fast_glob_1 = __importDefault(require("fast-glob"));
 const watchLoad_1 = require("./watchLoad");
 const lodash_1 = __importDefault(require("lodash"));
@@ -102,17 +102,6 @@ function getPluginInfo(id) {
     return running && Object.assign(running, { id }) || availablePlugins[id];
 }
 exports.getPluginInfo = getPluginInfo;
-function mapPlugins(cb) {
-    return lodash_1.default.map(plugins, (pl, plName) => {
-        try {
-            return cb(pl, plName);
-        }
-        catch (e) {
-            console.log('plugin error', plName, String(e));
-        }
-    }).filter(x => x !== undefined);
-}
-exports.mapPlugins = mapPlugins;
 function findPluginByRepo(repo) {
     return lodash_1.default.find(plugins, pl => match(pl.getData()))
         || lodash_1.default.find(availablePlugins, match);
@@ -127,16 +116,6 @@ function getPluginConfigFields(id) {
     return (_a = plugins[id]) === null || _a === void 0 ? void 0 : _a.getData().config;
 }
 exports.getPluginConfigFields = getPluginConfigFields;
-const serverCode = (0, config_1.defineConfig)('server_code', '', async (script, { k }) => {
-    const res = {};
-    try {
-        new Function('exports', script)(res); // parse
-        return await initPlugin(res);
-    }
-    catch (e) {
-        return console.error(k + ':', e.message || String(e));
-    }
-});
 async function initPlugin(pl, more) {
     var _a;
     return Object.assign(pl, await ((_a = pl.init) === null || _a === void 0 ? void 0 : _a.call(pl, {
@@ -152,14 +131,10 @@ async function initPlugin(pl, more) {
     })));
 }
 const pluginsMiddleware = async (ctx, next) => {
-    var _a;
     const after = {};
     // run middleware plugins
-    const entries = Object.entries(plugins);
-    const sc = await serverCode.compiled();
-    if (sc)
-        entries.push(['.', await serverCode.compiled()]);
-    for (const [id, pl] of entries)
+    await Promise.all(mapPlugins(async (pl, id) => {
+        var _a;
         try {
             const res = await ((_a = pl.middleware) === null || _a === void 0 ? void 0 : _a.call(pl, ctx));
             if (res === true)
@@ -170,7 +145,8 @@ const pluginsMiddleware = async (ctx, next) => {
         catch (e) {
             printError(id, e);
         }
-    // expose public plugins' files
+    }));
+    // expose public plugins' files`
     if (!ctx.pluginBlockedRequest) {
         const { path } = ctx;
         if (path.startsWith(const_1.PLUGINS_PUB_URI)) {
@@ -215,11 +191,13 @@ class Plugin {
                 console.warn('invalid', k);
             }
         }
+        plugins[id] = this;
     }
-    get version() {
-        var _a;
-        return (_a = this.data) === null || _a === void 0 ? void 0 : _a.version;
-    }
+    get version() { var _a; return (_a = this.data) === null || _a === void 0 ? void 0 : _a.version; }
+    get description() { var _a; return (_a = this.data) === null || _a === void 0 ? void 0 : _a.description; }
+    get apiRequired() { var _a; return (_a = this.data) === null || _a === void 0 ? void 0 : _a.apiRequired; }
+    get repo() { var _a; return (_a = this.data) === null || _a === void 0 ? void 0 : _a.repo; }
+    get depend() { var _a; return (_a = this.data) === null || _a === void 0 ? void 0 : _a.depend; }
     get middleware() {
         var _a;
         return (_a = this.data) === null || _a === void 0 ? void 0 : _a.middleware;
@@ -259,6 +237,33 @@ class Plugin {
     }
 }
 exports.Plugin = Plugin;
+const SERVER_CODE_ID = '.';
+const serverCode = (0, config_1.defineConfig)('server_code', '', async (script, { k }) => {
+    const res = {};
+    try {
+        new Function('exports', script)(res); // parse
+        return new Plugin(SERVER_CODE_ID, '', await initPlugin(res), lodash_1.default.noop); // '.' is a name that will surely be not found among plugin folders
+    }
+    catch (e) {
+        return console.error(k + ':', e.message || String(e));
+    }
+});
+let serverCodePlugin;
+serverCode.sub(() => serverCode.compiled().then(x => serverCodePlugin = x));
+function mapPlugins(cb, includeServerCode = true) {
+    const entries = Object.entries(plugins);
+    return entries.map(([plName, pl]) => {
+        if (!includeServerCode && plName === SERVER_CODE_ID)
+            return;
+        try {
+            return cb(pl, plName);
+        }
+        catch (e) {
+            console.log('plugin error', plName, String(e));
+        }
+    }).filter(x => x !== undefined);
+}
+exports.mapPlugins = mapPlugins;
 let availablePlugins = {};
 function getAvailablePlugins() {
     return Object.values(availablePlugins);
@@ -334,8 +339,10 @@ function watchPlugin(id, path) {
     }
     async function markItAvailable() {
         delete plugins[id];
-        const source = await (0, promises_1.readFile)(module, 'utf8');
-        availablePlugins[id] = parsePluginSource(id, source);
+        availablePlugins[id] = await parsePlugin();
+    }
+    async function parsePlugin() {
+        return parsePluginSource(id, await (0, promises_1.readFile)(module, 'utf8'));
     }
     async function stop() {
         await starting;
@@ -352,6 +359,10 @@ function watchPlugin(id, path) {
             return;
         try {
             starting = (0, misc_1.pendingPromise)();
+            // if dependencies are not ready right now, we give some time. Not super-solid but good enough for now.
+            const info = await parsePlugin();
+            if (!await (0, misc_1.waitFor)(async () => lodash_1.default.isEmpty(await getMissingDependencies(info)), { timeout: 5000 }))
+                return console.debug("plugin missing dependencies", id);
             if (getPluginInfo(id))
                 setError(id, '');
             const alreadyRunning = plugins[id];
@@ -392,7 +403,7 @@ function watchPlugin(id, path) {
             const folder = (0, path_1.dirname)(module);
             const { state, unwatch } = (0, customHtml_1.watchLoadCustomHtml)(folder);
             pluginData.customHtml = state;
-            const plugin = plugins[id] = new Plugin(id, folder, pluginData, unwatch);
+            const plugin = new Plugin(id, folder, pluginData, unwatch);
             if (alreadyRunning)
                 events_1.default.emit('pluginUpdated', Object.assign(lodash_1.default.pick(plugin, 'started'), getPluginInfo(id)));
             else {
@@ -401,6 +412,7 @@ function watchPlugin(id, path) {
                     delete availablePlugins[id];
                 events_1.default.emit(wasInstalled ? 'pluginStarted' : 'pluginInstalled', plugin);
             }
+            events_1.default.emit('pluginStarted:' + id);
         }
         catch (e) {
             await markItAvailable();
@@ -414,8 +426,8 @@ function watchPlugin(id, path) {
         }
     }
 }
-function customApiCall(method, params) {
-    return mapPlugins(pl => { var _a, _b; return (_b = (_a = pl.getData().customApi) === null || _a === void 0 ? void 0 : _a[method]) === null || _b === void 0 ? void 0 : _b.call(_a, params); });
+function customApiCall(method, ...params) {
+    return mapPlugins(pl => { var _a, _b; return (_b = (_a = pl.getData().customApi) === null || _a === void 0 ? void 0 : _a[method]) === null || _b === void 0 ? void 0 : _b.call(_a, ...params); });
 }
 function getError(id) {
     return getPluginInfo(id).error;
@@ -470,3 +482,15 @@ function calculateBadApi(data) {
         : max < const_1.COMPATIBLE_API_VERSION ? "may not work correctly as it is designed for an older version of HFS - check for updates"
             : undefined;
 }
+async function getMissingDependencies(plugin) {
+    return (0, misc_1.onlyTruthy)(((plugin === null || plugin === void 0 ? void 0 : plugin.depend) || []).map((dep) => {
+        const res = findPluginByRepo(dep.repo);
+        const error = !res ? 'missing'
+            : (res.version || 0) < dep.version ? 'version'
+                : !isPluginEnabled(res.id) ? 'disabled'
+                    : !isPluginRunning(res.id) ? 'stopped'
+                        : '';
+        return error && { repo: dep.repo, error, id: res === null || res === void 0 ? void 0 : res.id };
+    }));
+}
+exports.getMissingDependencies = getMissingDependencies;

package/src/serveFile.js

@@ -22,11 +22,10 @@ function serveFileNode(ctx, node) {
     const name = (0, vfs_1.getNodeName)(node);
     const mimeString = typeof mime === 'string' ? mime
         : lodash_1.default.find(mime, (val, mask) => (0, misc_1.matches)(name, mask));
-    const allowed = allowedReferer.get();
-    if (allowed) {
+    if (allowedReferer.get()) {
         const ref = (_a = /\/\/([^:/]+)/.exec(ctx.get('referer'))) === null || _a === void 0 ? void 0 : _a[1]; // extract host from url
         if (ref && ref !== host() // automatic accept if referer is basically the hosting domain
-            && !(0, misc_1.matches)(ref, allowed))
+            && !(0, misc_1.matches)(ref, allowedReferer.get()))
             return ctx.status = const_1.HTTP_FORBIDDEN;
     }
     ctx.vfsNode = node; // useful to tell service files from files shared by the user

package/src/upload.js

@@ -15,6 +15,7 @@ const util_os_1 = require("./util-os");
 const connections_1 = require("./connections");
 const throttler_1 = require("./throttler");
 const perm_1 = require("./perm");
+const comments_1 = require("./comments");
 exports.deleteUnfinishedUploadsAfter = (0, config_1.defineConfig)('delete_unfinished_uploads_after', 86400);
 exports.minAvailableMb = (0, config_1.defineConfig)('min_available_mb', 100);
 const dontOverwriteUploading = (0, config_1.defineConfig)('dont_overwrite_uploading', false);
@@ -98,7 +99,10 @@ function uploadWriter(base, path, ctx) {
                 while (fs_1.default.existsSync(dest));
             }
             return fs_1.default.rename(tempName, dest, err => {
-                err && console.error("couldn't rename temp to", dest, String(err));
+                if (err)
+                    console.error("couldn't rename temp to", dest, String(err));
+                else if (ctx.query.comment)
+                    (0, comments_1.setCommentFor)(dest, (0, misc_1.escapeHTML)(String(ctx.query.comment)));
                 if (resumable)
                     delayedDelete(resumable, 0);
             });

package/src/util-files.js

@@ -1,11 +1,34 @@
 "use strict";
 // This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadFileAttr = exports.storeFileAttr = exports.isValidFileName = exports.createFileWithPath = exports.prepareFolder = exports.unzip = exports.dirStream = exports.adjustStaticPathForGlob = exports.dirTraversal = exports.watchDir = exports.readFileBusy = exports.isDirectory = void 0;
-const promises_1 = __importDefault(require("fs/promises"));
+exports.parseFile = exports.loadFileAttr = exports.storeFileAttr = exports.isValidFileName = exports.createFileWithPath = exports.prepareFolder = exports.unzip = exports.dirStream = exports.adjustStaticPathForGlob = exports.dirTraversal = exports.watchDir = exports.readFileBusy = exports.isDirectory = void 0;
+const promises_1 = __importStar(require("fs/promises"));
 const misc_1 = require("./misc");
 const util_1 = require("util");
 const fs_1 = require("fs");
@@ -176,3 +199,16 @@ async function loadFileAttr(path, k) {
     return (_a = (0, misc_1.tryJson)(String(await (0, util_1.promisify)(fs_x_attributes_1.default.get)(path, FILE_ATTR_PREFIX + k)))) !== null && _a !== void 0 ? _a : undefined; // normalize, as we get null instead of undefined on windows
 }
 exports.loadFileAttr = loadFileAttr;
+// read and parse a file, caching unless timestamp has changed
+const cache = new Map();
+async function parseFile(path, parse) {
+    const { mtime: ts } = await (0, promises_1.stat)(path);
+    const cached = cache.get(path);
+    if (ts === (cached === null || cached === void 0 ? void 0 : cached.ts))
+        return cached.parsed;
+    const raw = await (0, promises_1.readFile)(path, 'utf8');
+    const parsed = parse(raw);
+    cache.set(path, { ts, parsed });
+    return parsed;
+}
+exports.parseFile = parseFile;

package/src/util-http.js

@@ -7,15 +7,17 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.httpStream = exports.httpString = void 0;
 const node_http_1 = __importDefault(require("node:http"));
 const node_https_1 = __importDefault(require("node:https"));
-const const_1 = require("./const");
+const lodash_1 = __importDefault(require("lodash"));
+// in case the response is not 2xx, it will throw and the error object is the Response object
 function httpString(url, options) {
     return httpStream(url, options).then(res => new Promise(resolve => {
         let buf = '';
         res.on('data', chunk => buf += chunk.toString());
-        res.on('end', () => resolve(Object.assign(res, {
-            ok: (res.statusCode || 400) < 400,
-            body: buf
-        })));
+        res.on('end', () => {
+            if (!lodash_1.default.inRange(res.statusCode, 200, 299))
+                throw res;
+            resolve(buf);
+        });
     }));
 }
 exports.httpString = httpString;
@@ -28,7 +30,7 @@ function httpStream(url, { body, ...options } = {}) {
             console.debug("http responded", res.statusCode, "to", url);
             if (!res.statusCode || res.statusCode >= 400)
                 return reject(new Error(String(res.statusCode), { cause: res }));
-            if (res.statusCode === const_1.HTTP_TEMPORARY_REDIRECT && res.headers.location)
+            if (res.headers.location)
                 return resolve(httpStream(res.headers.location, options));
             resolve(res);
         }).on('error', e => {

package/src/vfs.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parentMaskApplier = exports.masksCouldGivePermission = exports.walkNode = exports.statusCodeForMissingPerm = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.applyParentToChild = exports.isSameFilenameAs = exports.MIME_AUTO = exports.PERM_KEYS = exports.defaultPerms = exports.WHO_ANY_ACCOUNT = exports.WHO_NO_ONE = exports.WHO_ANYONE = void 0;
+exports.parentMaskApplier = exports.masksCouldGivePermission = exports.walkNode = exports.statusCodeForMissingPerm = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.applyParentToChild = exports.isSameFilenameAs = exports.permsFromParent = exports.MIME_AUTO = void 0;
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = require("path");
 const misc_1 = require("./misc");
@@ -13,46 +13,38 @@ const config_1 = require("./config");
 const const_1 = require("./const");
 const events_1 = __importDefault(require("./events"));
 const perm_1 = require("./perm");
-exports.WHO_ANYONE = true;
-exports.WHO_NO_ONE = false;
-exports.WHO_ANY_ACCOUNT = '*';
-exports.defaultPerms = {
-    can_see: 'can_read',
-    can_read: exports.WHO_ANYONE,
-    can_list: 'can_read',
-    can_upload: exports.WHO_NO_ONE,
-    can_delete: exports.WHO_NO_ONE,
-};
-exports.PERM_KEYS = (0, misc_1.typedKeys)(exports.defaultPerms);
 exports.MIME_AUTO = 'auto';
-function inheritFromParent(parent, child) {
-    var _a, _b, _c;
-    for (const k of (0, misc_1.typedKeys)(exports.defaultPerms)) {
+function permsFromParent(parent, child) {
+    const ret = {};
+    for (const k of misc_1.PERM_KEYS) {
         let p = parent;
         let inheritedPerm;
         while (p) {
             inheritedPerm = p[k];
-            // // in case of object without children, parent is skipped in favor of the parent's parent
-            if (!isWhoObject(inheritedPerm))
+            // in case of object without children, parent is skipped in favor of the parent's parent
+            if (!(0, misc_1.isWhoObject)(inheritedPerm))
                 break;
             inheritedPerm = inheritedPerm.children;
             if (inheritedPerm !== undefined)
                 break;
             p = p.parent;
         }
-        if (inheritedPerm !== undefined) // small optimization: don't expand the object
-            (_a = child[k]) !== null && _a !== void 0 ? _a : (child[k] = inheritedPerm);
+        if (inheritedPerm !== undefined && child[k] === undefined) // small optimization: don't expand the object
+            ret[k] = inheritedPerm;
     }
+    return lodash_1.default.isEmpty(ret) ? undefined : ret;
+}
+exports.permsFromParent = permsFromParent;
+function inheritFromParent(parent, child) {
+    var _a, _b;
+    Object.assign(child, permsFromParent(parent, child));
     if (typeof parent.mime === 'object' && typeof child.mime === 'object')
         lodash_1.default.defaults(child.mime, parent.mime);
     else
-        (_b = child.mime) !== null && _b !== void 0 ? _b : (child.mime = parent.mime);
-    (_c = child.accept) !== null && _c !== void 0 ? _c : (child.accept = parent.accept);
+        (_a = child.mime) !== null && _a !== void 0 ? _a : (child.mime = parent.mime);
+    (_b = child.accept) !== null && _b !== void 0 ? _b : (child.accept = parent.accept);
     return child;
 }
-function isWhoObject(v) {
-    return v !== null && typeof v === 'object' && !Array.isArray(v);
-}
 function isSameFilenameAs(name) {
     const lc = name.toLowerCase();
     return (other) => lc === (typeof other === 'string' ? other : getNodeName(other)).toLowerCase();
@@ -183,25 +175,25 @@ function statusCodeForMissingPerm(node, perm, ctx, assign = true) {
             return const_1.HTTP_FORBIDDEN;
         // calculate value of permission resolving references to other permissions, avoiding infinite loop
         let who;
-        let max = exports.PERM_KEYS.length;
+        let max = misc_1.PERM_KEYS.length;
         do {
             who = node[perm];
-            if (isWhoObject(who))
+            if ((0, misc_1.isWhoObject)(who))
                 who = who.this;
-            who !== null && who !== void 0 ? who : (who = exports.defaultPerms[perm]);
-            if (!max-- || typeof who !== 'string' || who === exports.WHO_ANY_ACCOUNT)
+            who !== null && who !== void 0 ? who : (who = misc_1.defaultPerms[perm]);
+            if (!max-- || typeof who !== 'string' || who === misc_1.WHO_ANY_ACCOUNT)
                 break;
             perm = who;
         } while (1);
         if (Array.isArray(who)) {
             const arr = who; // shut up ts
             // check if I or any ancestor match `who`, but cache ancestors' usernames inside context state
-            const some = (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.getCurrentUsernameExpanded)(ctx))
+            const some = (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.expandUsername)((0, perm_1.getCurrentUsername)(ctx)))
                 .some((u) => arr.includes(u));
             return some ? 0 : const_1.HTTP_UNAUTHORIZED;
         }
         return typeof who === 'boolean' ? (who ? 0 : const_1.HTTP_FORBIDDEN)
-            : who === exports.WHO_ANY_ACCOUNT ? (ctx.state.account ? 0 : const_1.HTTP_UNAUTHORIZED)
+            : who === misc_1.WHO_ANY_ACCOUNT ? (ctx.state.account ? 0 : const_1.HTTP_UNAUTHORIZED)
                 : (0, misc_1.throw_)(Error('invalid permission: ' + JSON.stringify(who)));
     }
 }
@@ -235,7 +227,7 @@ async function* walkNode(parent, ctx, depth = 0, prefixPath = '', requiredPerm)
             parentsCache.set(name, item);
             inheritMasks(item, parent, nodeName);
             if (!ctx || hasPermission(item, 'can_list', ctx)) // check perm before recursion
-                yield* walkNode(item, ctx, depth - 1, name + '/');
+                yield* walkNode(item, ctx, depth - 1, name + '/', requiredPerm);
         }
     if (!source)
         return;
@@ -338,7 +330,7 @@ events_1.default.on('accountRenamed', (from, to) => {
     ;
     (function renameInNode(n) {
         var _a;
-        for (const k of exports.PERM_KEYS)
+        for (const k of misc_1.PERM_KEYS)
             renameInPerm(n[k]);
         if (n.masks)
             Object.values(n.masks).forEach(renameInNode);

package/src/watchLoad.js

@@ -13,21 +13,14 @@ function watchLoad(path, parser, { failedOnFirstAttempt, immediateFirst } = {})
     let watcher;
     const debounced = (0, misc_1.debounceAsync)(load, 500, { maxWait: 1000 });
     let retry;
-    let saving;
     let last;
     install(true);
-    return {
-        unwatch: uninstall,
-        save: (data) => Promise.resolve(saving).catch(() => { }).then(() => {
-            console.debug('writing', path);
-            return saving = promises_1.default.writeFile(path, data, 'utf8').finally(() => // save but also keep track of the current operation
-             saving = undefined);
-        }) // clear
-    };
+    const save = (0, misc_1.debounceAsync)((data) => promises_1.default.writeFile(path, data, 'utf8'));
+    return { unwatch, save };
     function install(first = false) {
         try {
             watcher = (0, fs_1.watch)(path, () => {
-                if (!saving)
+                if (!save.isWorking())
                     debounced().then();
             });
             debounced().catch(x => x);
@@ -40,7 +33,7 @@ function watchLoad(path, parser, { failedOnFirstAttempt, immediateFirst } = {})
                 failedOnFirstAttempt === null || failedOnFirstAttempt === void 0 ? void 0 : failedOnFirstAttempt();
         }
     }
-    function uninstall() {
+    function unwatch() {
         watcher === null || watcher === void 0 ? void 0 : watcher.close();
         clearTimeout(retry);
         watcher = undefined;
@@ -59,7 +52,7 @@ function watchLoad(path, parser, { failedOnFirstAttempt, immediateFirst } = {})
                 return;
             last = text;
             console.debug('loaded', path);
-            uninstall();
+            unwatch();
             install(); // reinstall, as the original file could have been renamed. We watch by the name.
             await parser(text);
         }

package/src/zip.js

@@ -24,7 +24,7 @@ async function zipStreamFromFolder(node, ctx) {
     const name = (list === null || list === void 0 ? void 0 : list.length) === 1 ? decodeURIComponent((0, path_1.basename)(list[0])) : (0, vfs_1.getNodeName)(node);
     ctx.attachment(((0, misc_1.isWindowsDrive)(name) ? name[0] : (name || 'archive')) + '.zip');
     const filter = (0, misc_1.pattern2filter)(String(ctx.query.search || ''));
-    const walker = !list ? (0, vfs_1.walkNode)(node, ctx, Infinity, '', 'can_read')
+    const walker = !list ? (0, vfs_1.walkNode)(node, ctx, Infinity, '', 'can_archive')
         : (async function* () {
             for await (const uri of list) {
                 const subNode = await (0, vfs_1.urlToNode)(uri, ctx, node);
@@ -33,7 +33,7 @@ async function zipStreamFromFolder(node, ctx) {
                 if (await (0, vfs_1.nodeIsDirectory)(subNode)) { // a directory needs to walked
                     if ((0, vfs_1.hasPermission)(subNode, 'can_list', ctx)) {
                         yield subNode; // it could be empty
-                        yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, decodeURI(uri) + '/', 'can_read');
+                        yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, decodeURI(uri) + '/', 'can_archive');
                     }
                     continue;
                 }
@@ -43,8 +43,8 @@ async function zipStreamFromFolder(node, ctx) {
             }
         })();
     const mappedWalker = (0, misc_1.filterMapGenerator)(walker, async (el) => {
-        if (!(0, vfs_1.hasPermission)(el, 'can_read', ctx))
-            return; // the fact you see it doesn't mean you can read it
+        if (!(0, vfs_1.hasPermission)(el, 'can_archive', ctx))
+            return; // the fact you see it doesn't mean you can get it
         const { source } = el;
         const name = (0, vfs_1.getNodeName)(el);
         if (ctx.req.aborted || !filter(name))