Fix attachment download bug (#27486) (#27570)

Backport #27486 by @lunny Fix #27204 This PR allows `/<username>/<reponame>/attachments/<uuid>` access with personal access token and also changed attachments API download url to it so it can be download correctly. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2025-08-13 04:58:19 +00:00 · 2023-10-11 10:38:50 +08:00
parent e6d1afaee3
commit 7b96f71bc7
6 changed files with 21 additions and 21 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -128,7 +128,7 @@ func (o *OAuth2) userIDFromToken(tokenSHA string, store DataStore) int64 {
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
-		!gitRawReleasePathRe.MatchString(req.URL.Path) {
+		!isGitRawOrAttachPath(req) {
 		return nil, nil
 	}