Add 'allowPosting' config

core/servers/content/nntp.js

@@ -121,6 +121,7 @@ const Responses = {
 
     SendArticle: '340 send article to be posted',
 
+    PostingNotAllowed: '440 posting not allowed',
     ArticlePostFailed: '441 posting failed',
     AuthRequired: '480 authentication required',
 };
@@ -1258,11 +1259,6 @@ exports.getModule = class NNTPServerModule extends ServerModule {
 
         const config = Config();
 
-        // add in some additional supported commands
-        const commands = Object.assign({}, NNTPServerBase.commands, {
-            POST: PostCommand,
-        });
-
         // :TODO: nntp-server doesn't currently allow posting in a nice way, so this is kludged in. Fork+MR something cleaner at some point
         class ProxySession extends NNTPServerBase.Session {
             constructor(server, stream) {
@@ -1333,12 +1329,19 @@ exports.getModule = class NNTPServerModule extends ServerModule {
         }
 
         const commonOptions = {
-            //requireAuth : true,   //  :TODO: re-enable!
             //  :TODO: How to hook into debugging?!
-            commands,
-            session: ProxySession, // :TODO: only do this is config.postingAllowed is true, else '440 posting not allowed' even if authenticated
         };
 
+        if (true === _.get(config, 'contentServers.nntp.allowPosts')) {
+            // add in some additional supported commands
+            const commands = Object.assign({}, NNTPServerBase.commands, {
+                POST: PostCommand,
+            });
+
+            commonOptions.commands = commands;
+            commonOptions.session = ProxySession;
+        }
+
         if (this.enableNntp) {
             this.nntpServer = new NNTPServer(
                 //  :TODO: according to docs: if connection is non-tls, but behind proxy (assuming TLS termination?!!) then set this to true

docs/_docs/servers/contentservers/nntp.md

@@ -12,6 +12,7 @@ The NNTP *content server* provides access to publicly exposed message conference
 | `nntp` | :-1: | Configuration block for non-secure NNTP. See Non-Secure NNTP Configuration below. |
 | `nntps` | :-1: | Configuration block for secure NNTP. See Secure NNTPS Configuration below. |
 | `publicMessageConferences` | :+1: | A map of *conference tags* to *area tags* that are publicly exposed over NNTP. Anonymous users will get read-only access to these areas. |
+| `postingAllowed` | :-1: | Allow posting from authenticated users. See [Write Access](#write-access).
 
 ### See Non-Secure NNTP Configuration
 Under `contentServers.nntp.nntp` the following configuration is allowed:
@@ -40,10 +41,20 @@ An example of generating your own cert/key pair:
 openssl req -newkey rsa:2048 -nodes -keyout ./config/nntps_key.pem -x509 -days 3050 -out ./config/nntps_cert.pem
 ```
 
-### Example Configuration
+## Write Access
+Authenticated users may write messages to a group given the following are true:
+
+1. They are connected security (NNTPS). This is a strict requirement due to how NNTP authenticates in plain-text otherwise.
+2. The authenticated user has write [ACS](../../configuration/acs.md) to the target message conference and area.
+
+> :warning: Not all [ACS](../../configuration/acs.md) checks can be made over NNTP. Any ACS requiring a "client" will return false (fail), such as `LC` ("is local?").
+
+## Example Configuration
 ```hjson
 contentServers: {
     nntp: {
+        allowPosting: true
+
         publicMessageConferences: {
             fsxnet: [
                 // Expose these areas of fsxNet