Require repo scope for PATs for private repos and basic authentication (#24362)

> The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2025-07-22 18:28:37 +00:00 · 2023-04-26 19:24:03 -05:00
parent 8f57aa014b
commit 5e36024105
11 changed files with 117 additions and 7 deletions
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -110,6 +110,11 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 			return
 		}
 	} else { // If we have the repository we check access
+		context.CheckRepoScopedToken(ctx, repository)
+		if ctx.Written() {
+			return
+		}
+
 		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())