summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorKN4CK3R <admin@oldschoolhack.me>2022-10-24 21:23:25 +0200
committerGitHub <noreply@github.com>2022-10-24 22:23:25 +0300
commit7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
treeae362008dffd5f24d750b7a51294e6b5b4f07636 /modules
parent49a4464160254604d2c42b760a901952d8bc3c8b (diff)
downloadgitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz
gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip
Fix package access for admins and inactive users (#21580)
I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'modules')
-rw-r--r--modules/context/package.go9
1 files changed, 6 insertions, 3 deletions
diff --git a/modules/context/package.go b/modules/context/package.go
index d12bdc4913..ce0f9a511b 100644
--- a/modules/context/package.go
+++ b/modules/context/package.go
@@ -85,12 +85,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
}
func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
- accessMode := perm.AccessModeNone
-
if setting.Service.RequireSignInView && ctx.Doer == nil {
- return accessMode, nil
+ return perm.AccessModeNone, nil
}
+ if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
+ return perm.AccessModeNone, nil
+ }
+
+ accessMode := perm.AccessModeNone
if ctx.Package.Owner.IsOrganization() {
org := organization.OrgFromUser(ctx.Package.Owner)