aboutsummaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorJohn Olheiser <john.olheiser@gmail.com>2023-04-26 19:24:03 -0500
committerGitHub <noreply@github.com>2023-04-26 19:24:03 -0500
commit5e360241053f6fcfb7f8b89373cba431adaf44ce (patch)
tree8253e76b296a437b3e288e5cc0b70070e9578946 /modules
parent8f57aa014b5642bcd33a6b22492df3c63f03d808 (diff)
downloadgitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.tar.gz
gitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.zip
Require repo scope for PATs for private repos and basic authentication (#24362)
> The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'modules')
-rw-r--r--modules/context/permission.go33
1 files changed, 33 insertions, 0 deletions
diff --git a/modules/context/permission.go b/modules/context/permission.go
index 8cb5d09eb9..cc53fb99ed 100644
--- a/modules/context/permission.go
+++ b/modules/context/permission.go
@@ -4,6 +4,10 @@
package context
import (
+ "net/http"
+
+ auth_model "code.gitea.io/gitea/models/auth"
+ repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unit"
"code.gitea.io/gitea/modules/log"
)
@@ -106,3 +110,32 @@ func RequireRepoReaderOr(unitTypes ...unit.Type) func(ctx *Context) {
ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
}
}
+
+// RequireRepoScopedToken check whether personal access token has repo scope
+func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository) {
+ if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
+ return
+ }
+
+ var err error
+ scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
+ if ok { // it's a personal access token but not oauth2 token
+ var scopeMatched bool
+ scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeRepo)
+ if err != nil {
+ ctx.ServerError("HasScope", err)
+ return
+ }
+ if !scopeMatched && !repo.IsPrivate {
+ scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopePublicRepo)
+ if err != nil {
+ ctx.ServerError("HasScope", err)
+ return
+ }
+ }
+ if !scopeMatched {
+ ctx.Error(http.StatusForbidden)
+ return
+ }
+ }
+}