Ask A Question

View Question

I have a feed setup with an APIKey and Anonymous is allowed "Add_Package", as described here: https://inedo.com/support/kb/1112/api-keys-in-proget

Without logging in, I am able to "Add Package" via the Web UI using the "Upload from Disk" option.

If I select the "Pull from another repository", it prompts me to log in.

If I do it via nuget.exe from the command line, it requires either authentication or the API key.

Any assistance would be appreciated
Thanks

Product: ProGet
Version: 4.0.9

Make sure to set up the API Key on the feed page, not in the Admin > Advanced Settings. The latter is used to interact with ProGet, whereas the feed's API key is only used for the feed.

Once a Feed API Key is specified...

Users must authenticate and have sufficient privileges to push a package to the Feed. Once the privileges are verified, the supplied API Key is checked to verify that it matches the custom key specified on the Feed Overview page. To enable anyone to push packages so long as the API Key is correct, grant the Feeds_AddPackage privilege to the Anonymous User

Yes, the API key is defined on the feed. I wasn't even aware of the API Key in the Advanced Settings screen, which is undefined.

I'm not sure I understand the issue then? You wrote...

If I do it via nuget.exe from the command line, it requires either authentication or the API key.

So, if you configured an API Key for the feed, then you're going to still have to specify it when you push a package.. What behavior are you expecting?

"Without logging in, I am able to "Add Package" via the Web UI using the "Upload from Disk" option"

This is the problem. The command line is working as expected.

I see; that's the expected behavior because you've granted "Anonymous" permissions to do those things. The API key is only used by the API.

OK, I guess I can understand that, but then why is this true?

If I select the "Pull from another repository", it prompts me to log in.

If this is truly functioning as designed/expected, a warning on your support KB page about this would seem appropriate. It seems unlikely that someone setting it up this way actually wants this behavior, and without testing every path to push a package, would have no idea.

The "Pull from Another Repository" actually requires the Feeds_PullPackage privilege; so make sure to grant anonymous that as well. Then it should work as expected!

Answer Question