git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

Ensure correct SSH permissions check for private and restricted users (#17370)

Browse source 
Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
zeripath 2021-10-20 21:59:05 +01:00 committed by GitHub
commit c1110b8671
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
routers/private/serv.go
View file

@ -279,7 +279,12 @@ func ServCommand(ctx *context.PrivateContext) {
}
// Permissions checking:
if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
if repoExist &&
(mode > models.AccessModeRead ||
repo.IsPrivate ||
owner.Visibility.IsPrivate() ||
user.IsRestricted ||
setting.Service.RequireSignInView) {
if key.Type == models.KeyTypeDeploy {
if deployKey.Mode < mode {
ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
@ -289,7 +294,7 @@ func ServCommand(ctx *context.PrivateContext) {
return
}
} else {
// Because of special ref "refs/for" .. , need delay write permission check
// Because of the special ref "refs/for" we will need to delay write permission check
if git.SupportProcReceive && unitType == models.UnitTypeCode {
mode = models.AccessModeRead
}