Fix missing authorization check on pull for public repos of private/limited org ...

author Cirno the Strongest <1447794+CirnoT@users.noreply.github.com>

Fri, 29 May 2020 21:12:21 +0000 (23:12 +0200)

committer GitHub <noreply@github.com>

Fri, 29 May 2020 21:12:21 +0000 (22:12 +0100)
author Cirno the Strongest <1447794+CirnoT@users.noreply.github.com>
Fri, 29 May 2020 21:12:21 +0000 (23:12 +0200)
committer GitHub <noreply@github.com>
Fri, 29 May 2020 21:12:21 +0000 (22:12 +0100)
diff --git a/routers/repo/http.go b/routers/repo/http.go

index 9c0834e5c3fa622f93e8e20da01dc4e360177f99..0c746e311e56e3412cd495627953c09d1f2650f8 100644 (file)
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -29,6 +29,7 @@ import (
         "code.gitea.io/gitea/modules/log"
         "code.gitea.io/gitea/modules/process"
         "code.gitea.io/gitea/modules/setting"
+       "code.gitea.io/gitea/modules/structs"
         "code.gitea.io/gitea/modules/timeutil"
         repo_service "code.gitea.io/gitea/services/repository"
  )
@@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
                 environ      []string
         )
  
+       // don't allow anonymous pulls if organization is not public
+       if isPublicPull {
+               if err := repo.GetOwner(); err != nil {
+                       ctx.ServerError("GetOwner", err)
+                       return
+               }
+
+               askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
+       }
+
         // check access
         if askAuth {
                 authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
author	Cirno the Strongest <1447794+CirnoT@users.noreply.github.com>
	Fri, 29 May 2020 21:12:21 +0000 (23:12 +0200)
committer	GitHub <noreply@github.com>
	Fri, 29 May 2020 21:12:21 +0000 (22:12 +0100)