diff options
| author | Zettat123 <zettat123@gmail.com> | 2023-07-29 22:13:24 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-29 14:13:24 +0000 |
| commit | b33cf4fabcdedff126b173d81c8a5609202b39ff (patch) | |
| tree | 9bcca2ff15435b15232d197cea045a78ace040c6 /routers | |
| parent | 05d0b7ca91893b749f3e70e828f9777690ecf5f1 (diff) | |
| download | gitea-b33cf4fabcdedff126b173d81c8a5609202b39ff.tar.gz gitea-b33cf4fabcdedff126b173d81c8a5609202b39ff.zip | |
Fix access check for org-level project (#26182)
Fix #25934
Add `ignoreGlobal` parameter to `reqUnitAccess` and only check global
disabled units when `ignoreGlobal` is true. So the org-level projects
and user-level projects won't be affected by global disabled
`repo.projects` unit.
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/web/web.go | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/routers/web/web.go b/routers/web/web.go index ffc26dc291..ca75bd5967 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -254,9 +254,10 @@ func registerRoutes(m *web.Route) { } } - reqUnitAccess := func(unitType unit.Type, accessMode perm.AccessMode) func(ctx *context.Context) { + reqUnitAccess := func(unitType unit.Type, accessMode perm.AccessMode, ignoreGlobal bool) func(ctx *context.Context) { return func(ctx *context.Context) { - if unitType.UnitGlobalDisabled() { + // only check global disabled units when ignoreGlobal is false + if !ignoreGlobal && unitType.UnitGlobalDisabled() { ctx.NotFound(unitType.String(), nil) return } @@ -832,7 +833,7 @@ func registerRoutes(m *web.Route) { m.Group("", func() { m.Get("", org.Projects) m.Get("/{id}", org.ViewProject) - }, reqUnitAccess(unit.TypeProjects, perm.AccessModeRead)) + }, reqUnitAccess(unit.TypeProjects, perm.AccessModeRead, true)) m.Group("", func() { //nolint:dupl m.Get("/new", org.RenderNewProject) m.Post("/new", web.Bind(forms.CreateProjectForm{}), org.NewProjectPost) @@ -853,17 +854,17 @@ func registerRoutes(m *web.Route) { m.Post("/move", org.MoveIssues) }) }) - }, reqSignIn, reqUnitAccess(unit.TypeProjects, perm.AccessModeWrite), func(ctx *context.Context) { + }, reqSignIn, reqUnitAccess(unit.TypeProjects, perm.AccessModeWrite, true), func(ctx *context.Context) { if ctx.ContextUser.IsIndividual() && ctx.ContextUser.ID != ctx.Doer.ID { ctx.NotFound("NewProject", nil) return } }) - }, repo.MustEnableProjects) + }) m.Group("", func() { m.Get("/code", user.CodeSearch) - }, reqUnitAccess(unit.TypeCode, perm.AccessModeRead)) + }, reqUnitAccess(unit.TypeCode, perm.AccessModeRead, false)) }, ignSignIn, context_service.UserAssignmentWeb(), context.OrgAssignment()) // for "/{username}/-" (packages, projects, code) // ***** Release Attachment Download without Signin |