Fix missing authorization check on pull for public repos of private/limited org (#11656)
Fixes #11651
This commit is contained in:
parent
0d9f9f7de1
commit
02fa329a7c
1 changed files with 11 additions and 0 deletions
|
@ -29,6 +29,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/process"
|
"code.gitea.io/gitea/modules/process"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
"code.gitea.io/gitea/modules/structs"
|
||||||
"code.gitea.io/gitea/modules/timeutil"
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
repo_service "code.gitea.io/gitea/services/repository"
|
repo_service "code.gitea.io/gitea/services/repository"
|
||||||
)
|
)
|
||||||
|
@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
|
||||||
environ []string
|
environ []string
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// don't allow anonymous pulls if organization is not public
|
||||||
|
if isPublicPull {
|
||||||
|
if err := repo.GetOwner(); err != nil {
|
||||||
|
ctx.ServerError("GetOwner", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
|
||||||
|
}
|
||||||
|
|
||||||
// check access
|
// check access
|
||||||
if askAuth {
|
if askAuth {
|
||||||
authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
|
authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
|
||||||
|
|
Reference in a new issue