mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-24 19:12:24 +00:00 
			
		
		
		
	Check IsActionsToken for LFS authentication (#23841)
		
	Close #23824 Actions cannot fetch LFS objects from private repos because we don't check if the user is the `ActionUser`.
This commit is contained in:
		
					parent
					
						
							
								0ed62db213
							
						
					
				
			
			
				commit
				
					
						bcc4c62b6c
					
				
			
		
					 1 changed files with 19 additions and 1 deletions
				
			
		|  | @ -17,6 +17,7 @@ import ( | |||
| 	"strconv" | ||||
| 	"strings" | ||||
| 
 | ||||
| 	actions_model "code.gitea.io/gitea/models/actions" | ||||
| 	git_model "code.gitea.io/gitea/models/git" | ||||
| 	"code.gitea.io/gitea/models/perm" | ||||
| 	access_model "code.gitea.io/gitea/models/perm/access" | ||||
|  | @ -495,10 +496,27 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho | |||
| 		accessMode = perm.AccessModeWrite | ||||
| 	} | ||||
| 
 | ||||
| 	if ctx.Data["IsActionsToken"] == true { | ||||
| 		taskID := ctx.Data["ActionsTaskID"].(int64) | ||||
| 		task, err := actions_model.GetTaskByID(ctx, taskID) | ||||
| 		if err != nil { | ||||
| 			log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err) | ||||
| 			return false | ||||
| 		} | ||||
| 		if task.RepoID != repository.ID { | ||||
| 			return false | ||||
| 		} | ||||
| 
 | ||||
| 		if task.IsForkPullRequest { | ||||
| 			return accessMode <= perm.AccessModeRead | ||||
| 		} | ||||
| 		return accessMode <= perm.AccessModeWrite | ||||
| 	} | ||||
| 
 | ||||
| 	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess | ||||
| 	perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer) | ||||
| 	if err != nil { | ||||
| 		log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository) | ||||
| 		log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err) | ||||
| 		return false | ||||
| 	} | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue