diff options
author | Antoine GIRARD <sapk@users.noreply.github.com> | 2018-01-27 17:48:15 +0100 |
---|---|---|
committer | Lauris BH <lauris@nix.lv> | 2018-01-27 18:48:15 +0200 |
commit | 9e842c8a722eb1db50cfbdbe7146b67d3670052f (patch) | |
tree | d0d1f06f9363276289971759c7134149b9ec6860 /modules/lfs/locks.go | |
parent | 97fe773491ae69531141316a1178d22c8a5d1257 (diff) | |
download | gitea-9e842c8a722eb1db50cfbdbe7146b67d3670052f.tar.gz gitea-9e842c8a722eb1db50cfbdbe7146b67d3670052f.zip |
Fix SSH auth lfs locks (#3152)
* Fix SSH auth LFS locks
* Activate SSH/lock test
* Remove debug
* Follow @lunny recommendation for AfterLoad method
Diffstat (limited to 'modules/lfs/locks.go')
-rw-r--r-- | modules/lfs/locks.go | 78 |
1 files changed, 42 insertions, 36 deletions
diff --git a/modules/lfs/locks.go b/modules/lfs/locks.go index 2e776c26a0..7a7d3ad42a 100644 --- a/modules/lfs/locks.go +++ b/modules/lfs/locks.go @@ -13,24 +13,35 @@ import ( "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" api "code.gitea.io/sdk/gitea" - - "gopkg.in/macaron.v1" ) -func checkRequest(req macaron.Request, post bool) int { +//checkIsValidRequest check if it a valid request in case of bad request it write the response to ctx. +func checkIsValidRequest(ctx *context.Context, post bool) bool { if !setting.LFS.StartServer { - return 404 + writeStatus(ctx, 404) + return false + } + if !MetaMatcher(ctx.Req) { + writeStatus(ctx, 400) + return false } - if !MetaMatcher(req) { - return 400 + if !ctx.IsSigned { + user, _, _, err := parseToken(ctx.Req.Header.Get("Authorization")) + if err != nil { + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + writeStatus(ctx, 401) + return false + } + ctx.User = user } if post { - mediaParts := strings.Split(req.Header.Get("Content-Type"), ";") + mediaParts := strings.Split(ctx.Req.Header.Get("Content-Type"), ";") if mediaParts[0] != metaMediaType { - return 400 + writeStatus(ctx, 400) + return false } } - return 200 + return true } func handleLockListOut(ctx *context.Context, lock *models.LFSLock, err error) { @@ -59,17 +70,16 @@ func handleLockListOut(ctx *context.Context, lock *models.LFSLock, err error) { // GetListLockHandler list locks func GetListLockHandler(ctx *context.Context) { - status := checkRequest(ctx.Req, false) - if status != 200 { - writeStatus(ctx, status) + if !checkIsValidRequest(ctx, false) { return } ctx.Resp.Header().Set("Content-Type", metaMediaType) - err := models.CheckLFSAccessForRepo(ctx.User, ctx.Repo.Repository.ID, "list") + err := models.CheckLFSAccessForRepo(ctx.User, ctx.Repo.Repository, models.AccessModeRead) if err != nil { - if models.IsErrLFSLockUnauthorizedAction(err) { - ctx.JSON(403, api.LFSLockError{ + if models.IsErrLFSUnauthorizedAction(err) { + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + ctx.JSON(401, api.LFSLockError{ Message: "You must have pull access to list locks : " + err.Error(), }) return @@ -96,7 +106,7 @@ func GetListLockHandler(ctx *context.Context) { path := ctx.Query("path") if path != "" { //Case where we request a specific id - lock, err := models.GetLFSLock(ctx.Repo.Repository.ID, path) + lock, err := models.GetLFSLock(ctx.Repo.Repository, path) handleLockListOut(ctx, lock, err) return } @@ -120,9 +130,7 @@ func GetListLockHandler(ctx *context.Context) { // PostLockHandler create lock func PostLockHandler(ctx *context.Context) { - status := checkRequest(ctx.Req, true) - if status != 200 { - writeStatus(ctx, status) + if !checkIsValidRequest(ctx, false) { return } ctx.Resp.Header().Set("Content-Type", metaMediaType) @@ -136,9 +144,9 @@ func PostLockHandler(ctx *context.Context) { } lock, err := models.CreateLFSLock(&models.LFSLock{ - RepoID: ctx.Repo.Repository.ID, - Path: req.Path, - Owner: ctx.User, + Repo: ctx.Repo.Repository, + Path: req.Path, + Owner: ctx.User, }) if err != nil { if models.IsErrLFSLockAlreadyExist(err) { @@ -148,8 +156,9 @@ func PostLockHandler(ctx *context.Context) { }) return } - if models.IsErrLFSLockUnauthorizedAction(err) { - ctx.JSON(403, api.LFSLockError{ + if models.IsErrLFSUnauthorizedAction(err) { + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + ctx.JSON(401, api.LFSLockError{ Message: "You must have push access to create locks : " + err.Error(), }) return @@ -164,18 +173,16 @@ func PostLockHandler(ctx *context.Context) { // VerifyLockHandler list locks for verification func VerifyLockHandler(ctx *context.Context) { - status := checkRequest(ctx.Req, true) - if status != 200 { - writeStatus(ctx, status) + if !checkIsValidRequest(ctx, false) { return } - ctx.Resp.Header().Set("Content-Type", metaMediaType) - err := models.CheckLFSAccessForRepo(ctx.User, ctx.Repo.Repository.ID, "verify") + err := models.CheckLFSAccessForRepo(ctx.User, ctx.Repo.Repository, models.AccessModeWrite) if err != nil { - if models.IsErrLFSLockUnauthorizedAction(err) { - ctx.JSON(403, api.LFSLockError{ + if models.IsErrLFSUnauthorizedAction(err) { + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + ctx.JSON(401, api.LFSLockError{ Message: "You must have push access to verify locks : " + err.Error(), }) return @@ -211,9 +218,7 @@ func VerifyLockHandler(ctx *context.Context) { // UnLockHandler delete locks func UnLockHandler(ctx *context.Context) { - status := checkRequest(ctx.Req, true) - if status != 200 { - writeStatus(ctx, status) + if !checkIsValidRequest(ctx, false) { return } ctx.Resp.Header().Set("Content-Type", metaMediaType) @@ -228,8 +233,9 @@ func UnLockHandler(ctx *context.Context) { lock, err := models.DeleteLFSLockByID(ctx.ParamsInt64("lid"), ctx.User, req.Force) if err != nil { - if models.IsErrLFSLockUnauthorizedAction(err) { - ctx.JSON(403, api.LFSLockError{ + if models.IsErrLFSUnauthorizedAction(err) { + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + ctx.JSON(401, api.LFSLockError{ Message: "You must have push access to delete locks : " + err.Error(), }) return |