-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature to block deleting the uploaded package #175
Comments
This is not a feature currently planned, but there is currently a private feed implementation in review that is extensible enough to later enable this kind of customization. Right now, you can set Also you may talk to your team and make sure everybody is on the same page about the process: Either packages may be arbitrarily deleted and recreated with the same version, which is absolutely not meant to ever happen in NuGet, or your push new packages each time, which is the expected way of working with NuGet packages. <Target Name="GenerateTimestampVersion">
<PropertyGroup>
<!-- Generate the version using the current UTC timestamp -->
<UtcNow Condition="'$(UtcNow)' == ''">$(MSBuildThisFileLastWriteTime)</UtcNow>
<UtcTimestamp>$([System.DateTime]::UtcNow.ToString("yyyyMMddHHmmss"))</UtcTimestamp>
<Version>1.0.$(UtcTimestamp)</Version>
<PackageVersion>1.0.$(UtcTimestamp)</PackageVersion>
<AssemblyVersion>1.0.0.0</AssemblyVersion>
<FileVersion>1.0.$(UtcTimestamp)</FileVersion>
</PropertyGroup>
</Target>
<Target Name="BeforeBuild" BeforeTargets="BeforeBuild">
<CallTarget Targets="GenerateTimestampVersion" />
</Target> Once #156 is in, you could start by giving everyone their own personal API key and in turn revoke specific API keys if misused. After that, we will think about extensions to that system. |
Possible design: Each API key gets full permissions by default, as that is the most trivial case. Different direction: Add More design discussion needed. |
Is your feature request related to a problem? Please describe.
The issue is that currently, other users have the ability to delete uploaded packages in my Baget instance. Although the system prevents overwriting the same package version, some users are bypassing this by deleting the existing package version and then re-uploading it. This can lead to potential issues, such as unintended changes or inconsistencies in the package versions available.
Describe the solution you'd like
I would like a feature that blocks users from deleting uploaded packages unless they have specific permissions. This would prevent unauthorized deletion of packages and ensure the integrity of the packages stored in the system. Ideally, only admins or users with special permissions should be able to delete packages.
Describe alternatives you've considered
An alternative solution could be to limit the delete functionality based on API keys, allowing only users with certain API keys to delete packages. Another option could be implementing a feature where package deletion triggers a warning or requires approval from an administrator. Additionally, logging deletions and notifying all users who have access to the package could be considered to review any potential issues.
The text was updated successfully, but these errors were encountered: