Просмотр исходного кода
Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
Fixes #11651
(cherry picked from commit 02fa329a7c)
tags/v1.11.6
Cirno the Strongest
4 лет назад
1 измененных файлов: 11 добавлений и 0 удалений
+ 11
- 0
routers/repo/http.go
Просмотреть файл
| @@ -29,6 +29,7 @@ import ( | |||
| "code.gitea.io/gitea/modules/log" | |||
| "code.gitea.io/gitea/modules/process" | |||
| "code.gitea.io/gitea/modules/setting" | |||
| "code.gitea.io/gitea/modules/structs" | |||
| "code.gitea.io/gitea/modules/timeutil" | |||
| repo_service "code.gitea.io/gitea/services/repository" | |||
| ) | |||
| @@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) { | |||
| environ []string | |||
| ) | |||
| // don't allow anonymous pulls if organization is not public | |||
| if isPublicPull { | |||
| if err := repo.GetOwner(); err != nil { | |||
| ctx.ServerError("GetOwner", err) | |||
| return | |||
| } | |||
| askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic) | |||
| } | |||
| // check access | |||
| if askAuth { | |||
| authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser) | |||
Загрузка…