Repositories owned by private users and organisations and pulls by restricted users need to have permissions checked. Previously Serv would simply assumed that if the user could log in and the repository was not private then it would be visible. Fix #17364 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
parent
79a3d277e5
commit
79f0b1a50b
1 changed files with 6 additions and 1 deletions
|
@ -278,7 +278,12 @@ func ServCommand(ctx *context.PrivateContext) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Permissions checking:
|
// Permissions checking:
|
||||||
if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
|
if repoExist &&
|
||||||
|
(mode > models.AccessModeRead ||
|
||||||
|
repo.IsPrivate ||
|
||||||
|
owner.Visibility.IsPrivate() ||
|
||||||
|
user.IsRestricted ||
|
||||||
|
setting.Service.RequireSignInView) {
|
||||||
if key.Type == models.KeyTypeDeploy {
|
if key.Type == models.KeyTypeDeploy {
|
||||||
if deployKey.Mode < mode {
|
if deployKey.Mode < mode {
|
||||||
ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
|
ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
|
||||||
|
|
Reference in a new issue