Fix package access for admins and inactive users (#21580)

I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
author: KN4CK3R <admin@oldschoolhack.me> 2022-10-24 21:23:25 +0200
committer: GitHub <noreply@github.com> 2022-10-24 22:23:25 +0300
commit: 7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
tree: ae362008dffd5f24d750b7a51294e6b5b4f07636 /modules
parent: 49a4464160254604d2c42b760a901952d8bc3c8b (diff)
download: gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz
gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/modules/context/package.go b/modules/context/package.go
index d12bdc4913..ce0f9a511b 100644
--- a/modules/context/package.go
+++ b/modules/context/package.go
@@ -85,12 +85,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
 }
 
 func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
-	accessMode := perm.AccessModeNone
-
 	if setting.Service.RequireSignInView && ctx.Doer == nil {
-		return accessMode, nil
+		return perm.AccessModeNone, nil
 	}
 
+	if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
+		return perm.AccessModeNone, nil
+	}
+
+	accessMode := perm.AccessModeNone
 	if ctx.Package.Owner.IsOrganization() {
 		org := organization.OrgFromUser(ctx.Package.Owner)
author	KN4CK3R <admin@oldschoolhack.me>	2022-10-24 21:23:25 +0200
committer	GitHub <noreply@github.com>	2022-10-24 22:23:25 +0300
commit	7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
tree	ae362008dffd5f24d750b7a51294e6b5b4f07636 /modules
parent	49a4464160254604d2c42b760a901952d8bc3c8b (diff)
download	gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip