Require repo scope for PATs for private repos and basic authentication (#24362)

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

---------

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

1 files changed, 33 insertions, 0 deletions

diff --git a/modules/context/permission.go b/modules/context/permission.go
index 8cb5d09eb9..cc53fb99ed 100644
--- a/modules/context/permission.go
+++ b/modules/context/permission.go
@@ -4,6 +4,10 @@
 package context
 
 import (
+	"net/http"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/log"
 )
@@ -106,3 +110,32 @@ func RequireRepoReaderOr(unitTypes ...unit.Type) func(ctx *Context) {
 		ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
 	}
 }
+
+// RequireRepoScopedToken check whether personal access token has repo scope
+func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository) {
+	if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
+		return
+	}
+
+	var err error
+	scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
+	if ok { // it's a personal access token but not oauth2 token
+		var scopeMatched bool
+		scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeRepo)
+		if err != nil {
+			ctx.ServerError("HasScope", err)
+			return
+		}
+		if !scopeMatched && !repo.IsPrivate {
+			scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopePublicRepo)
+			if err != nil {
+				ctx.ServerError("HasScope", err)
+				return
+			}
+		}
+		if !scopeMatched {
+			ctx.Error(http.StatusForbidden)
+			return
+		}
+	}
+}