Fix missing authorization check on pull for public repos of private/limited org (#11656)
Fixes #11651
This commit is contained in:
		
							parent
							
								
									0d9f9f7de1
								
							
						
					
					
						commit
						02fa329a7c
					
				| @ -29,6 +29,7 @@ import ( | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/process" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| 	"code.gitea.io/gitea/modules/structs" | ||||
| 	"code.gitea.io/gitea/modules/timeutil" | ||||
| 	repo_service "code.gitea.io/gitea/services/repository" | ||||
| ) | ||||
| @ -135,6 +136,16 @@ func HTTP(ctx *context.Context) { | ||||
| 		environ      []string | ||||
| 	) | ||||
| 
 | ||||
| 	// don't allow anonymous pulls if organization is not public
 | ||||
| 	if isPublicPull { | ||||
| 		if err := repo.GetOwner(); err != nil { | ||||
| 			ctx.ServerError("GetOwner", err) | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic) | ||||
| 	} | ||||
| 
 | ||||
| 	// check access
 | ||||
| 	if askAuth { | ||||
| 		authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user