Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)

Fixes #11651 (cherry picked from commit 02fa329a7c2190d947cd5e02ea90d2d4406653be)
author: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com> 2020-05-29 23:12:21 +0200
committer: GitHub <noreply@github.com> 2020-05-29 22:12:21 +0100
commit: 95af6096fbd65d9b28a8a4b6ecbb2beb883183d6 (patch)
tree: 332cd0cf71bd39d5b1682c8cd1d3f9316c527417
parent: 801f4b9e7a49fb6366efbb1bc6fcb31c5f7b8fcc (diff)
download: gitea-95af6096fbd65d9b28a8a4b6ecbb2beb883183d6.tar.gz
gitea-95af6096fbd65d9b28a8a4b6ecbb2beb883183d6.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 9c0834e5c3..0c746e311e 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -29,6 +29,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
 		environ      []string
 	)
 
+	// don't allow anonymous pulls if organization is not public
+	if isPublicPull {
+		if err := repo.GetOwner(); err != nil {
+			ctx.ServerError("GetOwner", err)
+			return
+		}
+
+		askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
+	}
+
 	// check access
 	if askAuth {
 		authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
author	Cirno the Strongest <1447794+CirnoT@users.noreply.github.com>	2020-05-29 23:12:21 +0200
committer	GitHub <noreply@github.com>	2020-05-29 22:12:21 +0100
commit	95af6096fbd65d9b28a8a4b6ecbb2beb883183d6 (patch)
tree	332cd0cf71bd39d5b1682c8cd1d3f9316c527417
parent	801f4b9e7a49fb6366efbb1bc6fcb31c5f7b8fcc (diff)
download	gitea-95af6096fbd65d9b28a8a4b6ecbb2beb883183d6.tar.gz gitea-95af6096fbd65d9b28a8a4b6ecbb2beb883183d6.zip