diff options
author | John Olheiser <john.olheiser@gmail.com> | 2023-04-26 19:24:03 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-26 19:24:03 -0500 |
commit | 5e360241053f6fcfb7f8b89373cba431adaf44ce (patch) | |
tree | 8253e76b296a437b3e288e5cc0b70070e9578946 /modules | |
parent | 8f57aa014b5642bcd33a6b22492df3c63f03d808 (diff) | |
download | gitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.tar.gz gitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.zip |
Require repo scope for PATs for private repos and basic authentication (#24362)
> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.
---------
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'modules')
-rw-r--r-- | modules/context/permission.go | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/modules/context/permission.go b/modules/context/permission.go index 8cb5d09eb9..cc53fb99ed 100644 --- a/modules/context/permission.go +++ b/modules/context/permission.go @@ -4,6 +4,10 @@ package context import ( + "net/http" + + auth_model "code.gitea.io/gitea/models/auth" + repo_model "code.gitea.io/gitea/models/repo" "code.gitea.io/gitea/models/unit" "code.gitea.io/gitea/modules/log" ) @@ -106,3 +110,32 @@ func RequireRepoReaderOr(unitTypes ...unit.Type) func(ctx *Context) { ctx.NotFound(ctx.Req.URL.RequestURI(), nil) } } + +// RequireRepoScopedToken check whether personal access token has repo scope +func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository) { + if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true { + return + } + + var err error + scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope) + if ok { // it's a personal access token but not oauth2 token + var scopeMatched bool + scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeRepo) + if err != nil { + ctx.ServerError("HasScope", err) + return + } + if !scopeMatched && !repo.IsPrivate { + scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopePublicRepo) + if err != nil { + ctx.ServerError("HasScope", err) + return + } + } + if !scopeMatched { + ctx.Error(http.StatusForbidden) + return + } + } +} |