tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 18:28:37 +00:00
Code Releases Activity

Require repo scope for PATs for private repos and basic authentication (#24362)

Browse Source 
> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

---------

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
John Olheiser
2023-04-26 19:24:03 -05:00
committed by GitHub
parent 8f57aa014b
commit 5e36024105
11 changed files with 117 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
services/lfs/locks.go
View File

@@ -58,6 +58,11 @@ func GetListLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, rv.Authorization, true, false)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -145,6 +150,11 @@ func PostLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -212,6 +222,11 @@ func VerifyLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -278,6 +293,11 @@ func UnLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")

15
services/lfs/server.go
View File

@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) {
return
}
repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}
// Support resume download using Range header
var fromByte, toByte int64
toByte = meta.Size - 1
@@ -360,6 +365,11 @@ func VerifyHandler(ctx *context.Context) {
return
}
repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}
contentStore := lfs_module.NewContentStore()
ok, err := contentStore.Verify(meta.Pointer)
@@ -423,6 +433,11 @@ func getAuthenticatedRepository(ctx *context.Context, rc *requestContext, requir
return nil
}
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return nil
}
return repository
}