Hi Daniel as you can see reading the code in https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326
repos are get from Settings (that you can install a custom one via custom post install scripts) and repos are compared with officialRepo array that is global scope var that you can and set via python import pyplugin_installer print pyplugin_installer.installer_data.officialRepo (u'QGIS Official Plugin Repository', 'https://plugins.qgis.org/plugins/plugins.xml', 'https://plugins.qgis.org/plugins') because it's python you can overload/alias almost everithing, also that function that have hardcoded params btw If you find useful an enhancement, please file a PR with you general solution that can be useful to other users. just my 2c because I never approached this problem... Luigi Pirelli ************************************************************************************************** * LinkedIn: https://www.linkedin.com/in/luigipirelli * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli * GitHub: https://github.com/luipir * Mastering QGIS 2nd Edition: * https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition * Hire me: http://goo.gl/BYRQKg ************************************************************************************************** On 25 January 2018 at 02:13, Daniel Silk <ds...@linz.govt.nz> wrote: > Hi all > > I am currently involved in rolling QGIS 2.18 out in a corporate environment. > The security risk of a user installing a malicious plugin from the Official > Plugin Repository has come up. > > While we can ensure our corporate plugin repository is immediately visible to > all corporate users via a startup.py script, it appears that we: > - cannot remove the Official Plugin Repository from the repository list (due > to > https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326) > - cannot disable the Official Plugin Repository via Python API (and the user > would just be able to enable via the Plugin Manager interface anyway) > - cannot set the Plugin Manager interface to only show trusted plugins > - cannot set the url parameters to include trusted=true as the url params are > hardcoded: > https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L228 > > So is there any other way to remove the Official Plugin Repository or limit > the plugins that we allow users to view and install? > > Thanks > Daniel > > ________________________________ > > This message contains information, which may be in confidence and may be > subject to legal privilege. If you are not the intended recipient, you must > not peruse, use, disseminate, distribute or copy this message. If you have > received this message in error, please notify us immediately (Phone 0800 665 > 463 or i...@linz.govt.nz) and destroy the original message. LINZ accepts no > responsibility for changes to this email, or for any attachments, after its > transmission from LINZ. Thank You. > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer _______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer