Works

2026-01-18 16:17:26 +01:00 · 2025-07-21 17:44:00 +02:00
parent 51af114b2e
commit f59df0f40a
13 changed files with 333 additions and 140 deletions
--- a/server/message_cache.go
+++ b/server/message_cache.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"path/filepath"
 	"strings"
 	"time"

@@ -286,6 +287,12 @@ type messageCache struct {

 // newSqliteCache creates a SQLite file-backed cache
 func newSqliteCache(filename, startupQueries string, cacheDuration time.Duration, batchSize int, batchTimeout time.Duration, nop bool) (*messageCache, error) {
+	// Check the parent directory of the database file (makes for friendly error messages)
+	parentDir := filepath.Dir(filename)
+	if !util.FileExists(parentDir) {
+		return nil, fmt.Errorf("cache database directory %s does not exist or is not accessible", parentDir)
+	}
+	// Open database
 	db, err := sql.Open("sqlite3", filename)
 	if err != nil {
 		return nil, err
--- a/server/server.go
+++ b/server/server.go
@@ -200,8 +200,9 @@ func New(conf *Config) (*Server, error) {
 			Filename:            conf.AuthFile,
 			StartupQueries:      conf.AuthStartupQueries,
 			DefaultAccess:       conf.AuthDefault,
-			ProvisionedUsers:    conf.AuthProvisionedUsers,
-			ProvisionedAccess:   conf.AuthProvisionedAccess,
+			ProvisionEnabled:    true, // Enable provisioning of users and access
+			ProvisionUsers:      conf.AuthProvisionedUsers,
+			ProvisionAccess:     conf.AuthProvisionedAccess,
 			BcryptCost:          conf.AuthBcryptCost,
 			QueueWriterInterval: conf.AuthStatsQueueWriterInterval,
 		}
--- a/server/server.yml
+++ b/server/server.yml
@@ -82,6 +82,10 @@
 #   set to "read-write" (default), "read-only", "write-only" or "deny-all".
 # - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable
 #   WAL mode. This is similar to cache-startup-queries. See above for details.
+# - auth-provision-users is a list of users that are automatically created when the server starts.
+#   Each entry is in the format "<username>:<bcrypt-hash>:<role>", e.g. "phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:user"
+# - auth-provision-access is a list of access control entries that are automatically created when the server starts.
+#   Each entry is in the format "<username>:<topic-pattern>:<access>", e.g. "phil:mytopic:rw" or "phil:phil-*:rw".
 #
 # Debian/RPM package users:
 #   Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
@@ -94,6 +98,8 @@
 # auth-file: <filename>
 # auth-default-access: "read-write"
 # auth-startup-queries:
+# auth-provision-users:
+# auth-provision-access:

 # If set, the X-Forwarded-For header (or whatever is configured in proxy-forwarded-header) is used to determine
 # the visitor IP address instead of the remote address of the connection.
--- a/server/server_admin.go
+++ b/server/server_admin.go
@@ -25,7 +25,7 @@ func (s *Server) handleUsersGet(w http.ResponseWriter, r *http.Request, v *visit
 		for i, g := range grants[u.ID] {
 			userGrants[i] = &apiUserGrantResponse{
 				Topic:      g.TopicPattern,
-				Permission: g.Allow.String(),
+				Permission: g.Permission.String(),
 			}
 		}
 		usersResponse[i] = &apiUserResponse{