diff options
| author | David Svantesson <davidsvantesson@gmail.com> | 2019-08-24 02:33:32 +0200 |
|---|---|---|
| committer | Antoine GIRARD <sapk@users.noreply.github.com> | 2019-08-24 02:33:32 +0200 |
| commit | ce45a8c257bee0aba37ecb92d3eaaefe0153091c (patch) | |
| tree | 7e4759e7148563b177acbf20eee02bb3f43e22b7 /modules/auth | |
| parent | 70d2244e49e60e11877f850803d33ef1e3900fa6 (diff) | |
| download | gitea-ce45a8c257bee0aba37ecb92d3eaaefe0153091c.tar.gz gitea-ce45a8c257bee0aba37ecb92d3eaaefe0153091c.zip | |
Allow token as authorization for accessing attachments (#7909)
* Allow token as authorization for accessing attachments
Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
* Only allow token authentication for attachments if it is a download (GET)
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/auth.go | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/auth/auth.go b/modules/auth/auth.go index 74a596e8ef..68553941ec 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -29,6 +29,11 @@ func IsAPIPath(url string) bool { return strings.HasPrefix(url, "/api/") } +// IsAttachmentDownload check if request is a file download (GET) with URL to an attachment +func IsAttachmentDownload(ctx *macaron.Context) bool { + return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET" +} + // SignedInID returns the id of signed in user. func SignedInID(ctx *macaron.Context, sess session.Store) int64 { if !models.HasEngine { @@ -36,7 +41,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { } // Check access token. - if IsAPIPath(ctx.Req.URL.Path) { + if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentDownload(ctx) { tokenSHA := ctx.Query("token") if len(tokenSHA) == 0 { tokenSHA = ctx.Query("access_token") |