From fd6b8f36bedfc9ecc2322e03641ad3a353addbac Mon Sep 17 00:00:00 2001 From: Pavel Pulec Date: Wed, 9 Nov 2022 23:00:46 +0100 Subject: [PATCH] Do not search for releases when fallback disallowed The fuction "request.locator.get_releases" looking for releases in an upstream was called regardless of permissions that were set on a given package. Looking for releases of packages in the upstream that were disallowed by the "pypi.disallow_fallback" option exposed the names of disallowed packages to the upstream. This is unsolicited behavior. This change also fixes these warnings that were logged for all disallowed packages: WARNING [pypicloud.locator] Error fetching 'package1' from upstream: 404 Client Error: Not Found for url: https://pypi.org/pypi/package1/json Fixed issue #327 --- pypicloud/views/simple.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pypicloud/views/simple.py b/pypicloud/views/simple.py index 86f33ac7..20d830eb 100644 --- a/pypicloud/views/simple.py +++ b/pypicloud/views/simple.py @@ -161,10 +161,10 @@ def package_versions_json(context, request): def get_fallback_packages(request, package_name, redirect=True): """Get all package versions for a package from the fallback_base_url""" - releases = request.locator.get_releases(package_name) pkgs = {} if not request.access.has_permission(package_name, "fallback"): return pkgs + releases = request.locator.get_releases(package_name) for release in releases: url = release["url"] filename = posixpath.basename(url)