Fix bug when a token is given public only (#32204)

2025-07-09 20:17:21 +00:00 · 2024-10-08 17:51:09 +08:00
parent d3ada91ea4
commit d6d3c96e65
11 changed files with 178 additions and 57 deletions
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@ -63,6 +63,20 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 					ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
 					return
 				}
+
+				// check if scope only applies to public resources
+				publicOnly, err := scope.PublicOnly()
+				if err != nil {
+					ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
+					return
+				}
+
+				if publicOnly {
+					if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
+						ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public packages")
+						return
+					}
+				}
 			}
 		}