Correctly check http git access rights for reverse proxy authorized users (#3721)

diff --git a/routers/repo/http.go b/routers/repo/http.go
index 08ccf3ed65f137375af56872d9ebcd9c8a8576f3..e4e26e4f09ee6faf4b6979a81f115d6b455b6b10 100644 (file)
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -184,33 +184,33 @@ func HTTP(ctx *context.Context) {
                                        return
                                }
                        }
+               }
 
-                       if !isPublicPull {
-                               has, err := models.HasAccess(authUser.ID, repo, accessMode)
-                               if err != nil {
-                                       ctx.ServerError("HasAccess", err)
-                                       return
-                               } else if !has {
-                                       if accessMode == models.AccessModeRead {
-                                               has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
-                                               if err != nil {
-                                                       ctx.ServerError("HasAccess2", err)
-                                                       return
-                                               } else if !has {
-                                                       ctx.HandleText(http.StatusForbidden, "User permission denied")
-                                                       return
-                                               }
-                                       } else {
+               if !isPublicPull {
+                       has, err := models.HasAccess(authUser.ID, repo, accessMode)
+                       if err != nil {
+                               ctx.ServerError("HasAccess", err)
+                               return
+                       } else if !has {
+                               if accessMode == models.AccessModeRead {
+                                       has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
+                                       if err != nil {
+                                               ctx.ServerError("HasAccess2", err)
+                                               return
+                                       } else if !has {
                                                ctx.HandleText(http.StatusForbidden, "User permission denied")
                                                return
                                        }
-                               }
-
-                               if !isPull && repo.IsMirror {
-                                       ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+                               } else {
+                                       ctx.HandleText(http.StatusForbidden, "User permission denied")
                                        return
                                }
                        }
+
+                       if !isPull && repo.IsMirror {
+                               ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+                               return
+                       }
                }
 
                if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {