Browse Source
Fix auth check bug (#24382) (#24387)
Backport #24382 by @lunny Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>tags/v1.19.2
Giteabot
1 year ago
2 changed files with 41 additions and 10 deletions
+ 0
- 10
services/lfs/server.go
View File
| @@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) { | |||
| return | |||
| } | |||
| repository := getAuthenticatedRepository(ctx, rc, true) | |||
| if repository == nil { | |||
| return | |||
| } | |||
| // Support resume download using Range header | |||
| var fromByte, toByte int64 | |||
| toByte = meta.Size - 1 | |||
| @@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) { | |||
| return | |||
| } | |||
| repository := getAuthenticatedRepository(ctx, rc, true) | |||
| if repository == nil { | |||
| return | |||
| } | |||
| contentStore := lfs_module.NewContentStore() | |||
| ok, err := contentStore.Verify(meta.Pointer) | |||
+ 41
- 0
tests/integration/lfs_getobject_test.go
View File
| @@ -11,6 +11,7 @@ import ( | |||
| "net/http/httptest" | |||
| "testing" | |||
| "code.gitea.io/gitea/models/auth" | |||
| "code.gitea.io/gitea/models/db" | |||
| git_model "code.gitea.io/gitea/models/git" | |||
| repo_model "code.gitea.io/gitea/models/repo" | |||
| @@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string | |||
| return pointer.Oid | |||
| } | |||
| func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { | |||
| repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") | |||
| assert.NoError(t, err) | |||
| oid := storeObjectInRepo(t, repo.ID, content) | |||
| defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid) | |||
| token := getUserToken(t, "user2", ts) | |||
| // Request OID | |||
| req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test") | |||
| req.Header.Set("Accept-Encoding", "gzip") | |||
| req.SetBasicAuth("user2", token) | |||
| if extraHeader != nil { | |||
| for key, values := range *extraHeader { | |||
| for _, value := range values { | |||
| req.Header.Add(key, value) | |||
| } | |||
| } | |||
| } | |||
| resp := MakeRequest(t, req, expectedStatus) | |||
| return resp | |||
| } | |||
| func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { | |||
| repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") | |||
| assert.NoError(t, err) | |||
| @@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) { | |||
| checkResponseTestContentEncoding(t, &content, resp, false) | |||
| } | |||
| func TestGetLFSSmallToken(t *testing.T) { | |||
| defer tests.PrepareTestEnv(t)() | |||
| content := []byte("A very small file\n") | |||
| resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK) | |||
| checkResponseTestContentEncoding(t, &content, resp, false) | |||
| } | |||
| func TestGetLFSSmallTokenFail(t *testing.T) { | |||
| defer tests.PrepareTestEnv(t)() | |||
| content := []byte("A very small file\n") | |||
| storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden) | |||
| } | |||
| func TestGetLFSLarge(t *testing.T) { | |||
| defer tests.PrepareTestEnv(t)() | |||
| content := make([]byte, web.GzipMinSize*10) | |||
Loading…