TRKJ/gitea
2
0
Fork 0
mirror of https://gitee.com/gitea/gitea synced 2025-11-04 08:30:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

Require repo scope for PATs for private repos and basic authentication (#24362) (#24364)

Browse Source 
Backport #24362 by @jolheiser

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
Giteabot
2023-04-26 20:57:51 -04:00
committed by GitHub
parent 89297c9355
commit d2efd2bf73
11 changed files with 117 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
services/auth/basic.go
View File

@@ -102,6 +102,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
}
store.GetData()["IsApiToken"] = true
store.GetData()["ApiTokenScope"] = token.Scope
return u, nil
} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
log.Error("GetAccessTokenBySha: %v", err)

20
services/lfs/locks.go
View File

@@ -58,6 +58,11 @@ func GetListLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, rv.Authorization, true, false)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -145,6 +150,11 @@ func PostLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -212,6 +222,11 @@ func VerifyLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
@@ -278,6 +293,11 @@ func UnLockHandler(ctx *context.Context) {
}
repository.MustOwner(ctx)
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return
}
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")

15
services/lfs/server.go
View File

@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) {
return
}
repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}
// Support resume download using Range header
var fromByte, toByte int64
toByte = meta.Size - 1
@@ -360,6 +365,11 @@ func VerifyHandler(ctx *context.Context) {
return
}
repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}
contentStore := lfs_module.NewContentStore()
ok, err := contentStore.Verify(meta.Pointer)
@@ -423,6 +433,11 @@ func getAuthenticatedRepository(ctx *context.Context, rc *requestContext, requir
return nil
}
context.CheckRepoScopedToken(ctx, repository)
if ctx.Written() {
return nil
}
return repository
}