diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2020-11-13 07:29:11 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-13 01:29:11 +0200 |
| commit | ff7341b9946df665da0cd1453963733711ea7714 (patch) | |
| tree | 10acf10152fb01d4cad4c5d47b4bc18bcd95ea35 /routers/private | |
| parent | ee7133d135e1bf746ccd558371edd4fcdf185e7f (diff) | |
| download | gitea-ff7341b9946df665da0cd1453963733711ea7714.tar.gz gitea-ff7341b9946df665da0cd1453963733711ea7714.zip | |
Prevent git operations for inactive users (#13527)
* prevent git operations for inactive users
* Some fixes
* Deny push to the repositories which's owner is inactive
* deny operations also when user is ProhibitLogin
Co-authored-by: zeripath <art27@cantab.net>
Diffstat (limited to 'routers/private')
| -rw-r--r-- | routers/private/serv.go | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/routers/private/serv.go b/routers/private/serv.go index 79683c2826..2697666b87 100644 --- a/routers/private/serv.go +++ b/routers/private/serv.go @@ -61,6 +61,12 @@ func ServNoCommand(ctx *macaron.Context) { }) return } + if !user.IsActive || user.ProhibitLogin { + ctx.JSON(http.StatusForbidden, map[string]interface{}{ + "err": "Your account is disabled.", + }) + return + } results.Owner = user } ctx.JSON(http.StatusOK, &results) @@ -98,9 +104,28 @@ func ServCommand(ctx *macaron.Context) { results.RepoName = repoName[:len(repoName)-5] } + owner, err := models.GetUserByName(results.OwnerName) + if err != nil { + log.Error("Unable to get repository owner: %s/%s Error: %v", results.OwnerName, results.RepoName, err) + ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ + "results": results, + "type": "InternalServerError", + "err": fmt.Sprintf("Unable to get repository owner: %s/%s %v", results.OwnerName, results.RepoName, err), + }) + return + } + if !owner.IsActive { + ctx.JSON(http.StatusForbidden, map[string]interface{}{ + "results": results, + "type": "ForbiddenError", + "err": "Repository cannot be accessed, you could retry it later", + }) + return + } + // Now get the Repository and set the results section repoExist := true - repo, err := models.GetRepositoryByOwnerAndName(results.OwnerName, results.RepoName) + repo, err := models.GetRepositoryByName(owner.ID, results.RepoName) if err != nil { if models.IsErrRepoNotExist(err) { repoExist = false @@ -127,6 +152,7 @@ func ServCommand(ctx *macaron.Context) { } if repoExist { + repo.Owner = owner repo.OwnerName = ownerName results.RepoID = repo.ID @@ -217,15 +243,6 @@ func ServCommand(ctx *macaron.Context) { // so for now use the owner of the repository results.UserName = results.OwnerName results.UserID = repo.OwnerID - if err = repo.GetOwner(); err != nil { - log.Error("Unable to get owner for repo %-v. Error: %v", repo, err) - ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ - "results": results, - "type": "InternalServerError", - "err": fmt.Sprintf("Unable to get owner for repo: %s/%s.", results.OwnerName, results.RepoName), - }) - return - } if !repo.Owner.KeepEmailPrivate { results.UserEmail = repo.Owner.Email } @@ -250,6 +267,14 @@ func ServCommand(ctx *macaron.Context) { }) return } + + if !user.IsActive || user.ProhibitLogin { + ctx.JSON(http.StatusForbidden, map[string]interface{}{ + "err": "Your account is disabled.", + }) + return + } + results.UserName = user.Name if !user.KeepEmailPrivate { results.UserEmail = user.Email |