mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-11-04 08:21:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix missing authorization check on pull for public repos of private/limited org (#11656)

Browse source 
Fixes #11651
This commit is contained in:
Cirno the Strongest 2020-05-29 16:47:17 +02:00 committed by GitHub
commit 02fa329a7c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
routers/repo/http.go
View file

@ -29,6 +29,7 @@ import (
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/process" "code.gitea.io/gitea/modules/process"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/timeutil"
repo_service "code.gitea.io/gitea/services/repository" repo_service "code.gitea.io/gitea/services/repository"
) )
@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
environ []string environ []string
) )
// don't allow anonymous pulls if organization is not public
if isPublicPull {
if err := repo.GetOwner(); err != nil {
ctx.ServerError("GetOwner", err)
return
}
askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
}
// check access // check access
if askAuth { if askAuth {
authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser) authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)