Check IsActionsToken for LFS authentication (#23841) (#23875)

Backport #23841 by @Zettat123

Close #23824 

Actions cannot fetch LFS objects from private repos because we don't
check if the user is the `ActionUser`.

Co-authored-by: Zettat123 <zettat123@gmail.com>
This commit is contained in:
Giteabot 2023-04-02 16:30:33 -04:00 committed by GitHub
parent 026167f854
commit fe7caa05cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -18,6 +18,7 @@ import (
"strconv" "strconv"
"strings" "strings"
actions_model "code.gitea.io/gitea/models/actions"
git_model "code.gitea.io/gitea/models/git" git_model "code.gitea.io/gitea/models/git"
"code.gitea.io/gitea/models/perm" "code.gitea.io/gitea/models/perm"
access_model "code.gitea.io/gitea/models/perm/access" access_model "code.gitea.io/gitea/models/perm/access"
@ -495,10 +496,27 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
accessMode = perm.AccessModeWrite accessMode = perm.AccessModeWrite
} }
if ctx.Data["IsActionsToken"] == true {
taskID := ctx.Data["ActionsTaskID"].(int64)
task, err := actions_model.GetTaskByID(ctx, taskID)
if err != nil {
log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
return false
}
if task.RepoID != repository.ID {
return false
}
if task.IsForkPullRequest {
return accessMode <= perm.AccessModeRead
}
return accessMode <= perm.AccessModeWrite
}
// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess // ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer) perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
if err != nil { if err != nil {
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository) log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
return false return false
} }