Fix package access for admins and inactive users (#21580)

I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
author: KN4CK3R <admin@oldschoolhack.me> 2022-10-24 21:23:25 +0200
committer: GitHub <noreply@github.com> 2022-10-24 22:23:25 +0300
commit: 7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
tree: ae362008dffd5f24d750b7a51294e6b5b4f07636 /routers/api
parent: 49a4464160254604d2c42b760a901952d8bc3c8b (diff)
download: gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz
gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 69c8dd6564..6f53bc4ae0 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 	authGroup := auth.NewGroup(authMethods...)
 	r.Use(func(ctx *context.Context) {
 		ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		ctx.IsSigned = ctx.Doer != nil
 	})
 
 	r.Group("/{username}", func() {
@@ -316,6 +317,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
 	authGroup := auth.NewGroup(authMethods...)
 	r.Use(func(ctx *context.Context) {
 		ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		ctx.IsSigned = ctx.Doer != nil
 	})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
author	KN4CK3R <admin@oldschoolhack.me>	2022-10-24 21:23:25 +0200
committer	GitHub <noreply@github.com>	2022-10-24 22:23:25 +0300
commit	7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
tree	ae362008dffd5f24d750b7a51294e6b5b4f07636 /routers/api
parent	49a4464160254604d2c42b760a901952d8bc3c8b (diff)
download	gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip