Fix package access for admins and inactive users (#21580) (#21592)

author KN4CK3R <admin@oldschoolhack.me>

Fri, 28 Oct 2022 01:38:59 +0000 (03:38 +0200)

committer GitHub <noreply@github.com>

Fri, 28 Oct 2022 01:38:59 +0000 (09:38 +0800)
author KN4CK3R <admin@oldschoolhack.me>
Fri, 28 Oct 2022 01:38:59 +0000 (03:38 +0200)
committer GitHub <noreply@github.com>
Fri, 28 Oct 2022 01:38:59 +0000 (09:38 +0800)
diff --git a/integrations/api_packages_container_test.go b/integrations/api_packages_container_test.go

index af659363d595a72eefc1e44858a0b609abe50af6..ad987a662e979056b410633d8615364a94d7646d 100644 (file)
--- a/integrations/api_packages_container_test.go
+++ b/integrations/api_packages_container_test.go
@@ -433,6 +433,10 @@ func TestPackageContainer(t *testing.T) {
  
                                 assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
                                 assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
+
+                               req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
+                               addTokenAuthHeader(req, anonymousToken)
+                               MakeRequest(t, req, http.StatusOK)
                         })
  
                         t.Run("GetBlob", func(t *testing.T) {
diff --git a/integrations/api_packages_test.go b/integrations/api_packages_test.go

index 1f24807060df752f004f65e1b661e32c2a40ca9c..5b871cd476ec0c940ba221a2b2ffcec1cf3678a8 100644 (file)
--- a/integrations/api_packages_test.go
+++ b/integrations/api_packages_test.go
@@ -24,6 +24,7 @@ import (
  
  func TestPackageAPI(t *testing.T) {
         defer prepareTestEnv(t)()
+
         user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}).(*user_model.User)
         session := loginUser(t, user.Name)
         token := getTokenForLoggedInUser(t, session)
@@ -143,6 +144,27 @@ func TestPackageAPI(t *testing.T) {
         })
  }
  
+func TestPackageAccess(t *testing.T) {
+       defer prepareTestEnv(t)()
+
+       admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}).(*user_model.User)
+       user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
+       inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}).(*user_model.User)
+
+       uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
+               url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
+               req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
+               AddBasicAuthHeader(req, doer.Name)
+               MakeRequest(t, req, expectedStatus)
+       }
+
+       uploadPackage(user, inactive, http.StatusUnauthorized)
+       uploadPackage(inactive, inactive, http.StatusUnauthorized)
+       uploadPackage(inactive, user, http.StatusUnauthorized)
+       uploadPackage(admin, inactive, http.StatusCreated)
+       uploadPackage(admin, user, http.StatusCreated)
+}
+
  func TestPackageCleanup(t *testing.T) {
         defer prepareTestEnv(t)()
  
diff --git a/modules/context/package.go b/modules/context/package.go

index 89a8c4466c154c2734efe23f89c46389e5a1e559..5ccea9ee9b7efabea058c44b311d7071d9e6157d 100644 (file)
--- a/modules/context/package.go
+++ b/modules/context/package.go
@@ -83,12 +83,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
  }
  
  func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
-       accessMode := perm.AccessModeNone
-
         if setting.Service.RequireSignInView && ctx.Doer == nil {
-               return accessMode, nil
+               return perm.AccessModeNone, nil
         }
  
+       if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
+               return perm.AccessModeNone, nil
+       }
+
+       accessMode := perm.AccessModeNone
         if ctx.Package.Owner.IsOrganization() {
                 org := organization.OrgFromUser(ctx.Package.Owner)
  
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go

index 96924698a3c10c9bad9e8bcfd7ebc7b2a9dbc679..0df6012b566b7cdd8c3cad1a075fa13422d4d7cb 100644 (file)
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -55,6 +55,7 @@ func Routes() *web.Route {
         authGroup := auth.NewGroup(authMethods...)
         r.Use(func(ctx *context.Context) {
                 ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+               ctx.IsSigned = ctx.Doer != nil
         })
  
         r.Group("/{username}", func() {
@@ -256,6 +257,7 @@ func ContainerRoutes() *web.Route {
         authGroup := auth.NewGroup(authMethods...)
         r.Use(func(ctx *context.Context) {
                 ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+               ctx.IsSigned = ctx.Doer != nil
         })
  
         r.Get("", container.ReqContainerAccess, container.DetermineSupport)
author	KN4CK3R <admin@oldschoolhack.me>
	Fri, 28 Oct 2022 01:38:59 +0000 (03:38 +0200)
committer	GitHub <noreply@github.com>
	Fri, 28 Oct 2022 01:38:59 +0000 (09:38 +0800)
integrations/api_packages_container_test.go		patch \| blob \| history
integrations/api_packages_test.go		patch \| blob \| history
modules/context/package.go		patch \| blob \| history
routers/api/packages/api.go		patch \| blob \| history