Prevent git operations for inactive users (#13527)
* prevent git operations for inactive users * Some fixes * Deny push to the repositories which's owner is inactive * deny operations also when user is ProhibitLogin Co-authored-by: zeripath <art27@cantab.net>
This commit is contained in:
		
							parent
							
								
									ee7133d135
								
							
						
					
					
						commit
						ff7341b994
					
				| @ -61,6 +61,12 @@ func ServNoCommand(ctx *macaron.Context) { | |||||||
| 			}) | 			}) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  | 		if !user.IsActive || user.ProhibitLogin { | ||||||
|  | 			ctx.JSON(http.StatusForbidden, map[string]interface{}{ | ||||||
|  | 				"err": "Your account is disabled.", | ||||||
|  | 			}) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
| 		results.Owner = user | 		results.Owner = user | ||||||
| 	} | 	} | ||||||
| 	ctx.JSON(http.StatusOK, &results) | 	ctx.JSON(http.StatusOK, &results) | ||||||
| @ -98,9 +104,28 @@ func ServCommand(ctx *macaron.Context) { | |||||||
| 		results.RepoName = repoName[:len(repoName)-5] | 		results.RepoName = repoName[:len(repoName)-5] | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	owner, err := models.GetUserByName(results.OwnerName) | ||||||
|  | 	if err != nil { | ||||||
|  | 		log.Error("Unable to get repository owner: %s/%s Error: %v", results.OwnerName, results.RepoName, err) | ||||||
|  | 		ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ | ||||||
|  | 			"results": results, | ||||||
|  | 			"type":    "InternalServerError", | ||||||
|  | 			"err":     fmt.Sprintf("Unable to get repository owner: %s/%s %v", results.OwnerName, results.RepoName, err), | ||||||
|  | 		}) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  | 	if !owner.IsActive { | ||||||
|  | 		ctx.JSON(http.StatusForbidden, map[string]interface{}{ | ||||||
|  | 			"results": results, | ||||||
|  | 			"type":    "ForbiddenError", | ||||||
|  | 			"err":     "Repository cannot be accessed, you could retry it later", | ||||||
|  | 		}) | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	// Now get the Repository and set the results section
 | 	// Now get the Repository and set the results section
 | ||||||
| 	repoExist := true | 	repoExist := true | ||||||
| 	repo, err := models.GetRepositoryByOwnerAndName(results.OwnerName, results.RepoName) | 	repo, err := models.GetRepositoryByName(owner.ID, results.RepoName) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		if models.IsErrRepoNotExist(err) { | 		if models.IsErrRepoNotExist(err) { | ||||||
| 			repoExist = false | 			repoExist = false | ||||||
| @ -127,6 +152,7 @@ func ServCommand(ctx *macaron.Context) { | |||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	if repoExist { | 	if repoExist { | ||||||
|  | 		repo.Owner = owner | ||||||
| 		repo.OwnerName = ownerName | 		repo.OwnerName = ownerName | ||||||
| 		results.RepoID = repo.ID | 		results.RepoID = repo.ID | ||||||
| 
 | 
 | ||||||
| @ -217,15 +243,6 @@ func ServCommand(ctx *macaron.Context) { | |||||||
| 		// so for now use the owner of the repository
 | 		// so for now use the owner of the repository
 | ||||||
| 		results.UserName = results.OwnerName | 		results.UserName = results.OwnerName | ||||||
| 		results.UserID = repo.OwnerID | 		results.UserID = repo.OwnerID | ||||||
| 		if err = repo.GetOwner(); err != nil { |  | ||||||
| 			log.Error("Unable to get owner for repo %-v. Error: %v", repo, err) |  | ||||||
| 			ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ |  | ||||||
| 				"results": results, |  | ||||||
| 				"type":    "InternalServerError", |  | ||||||
| 				"err":     fmt.Sprintf("Unable to get owner for repo: %s/%s.", results.OwnerName, results.RepoName), |  | ||||||
| 			}) |  | ||||||
| 			return |  | ||||||
| 		} |  | ||||||
| 		if !repo.Owner.KeepEmailPrivate { | 		if !repo.Owner.KeepEmailPrivate { | ||||||
| 			results.UserEmail = repo.Owner.Email | 			results.UserEmail = repo.Owner.Email | ||||||
| 		} | 		} | ||||||
| @ -250,6 +267,14 @@ func ServCommand(ctx *macaron.Context) { | |||||||
| 			}) | 			}) | ||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  | 
 | ||||||
|  | 		if !user.IsActive || user.ProhibitLogin { | ||||||
|  | 			ctx.JSON(http.StatusForbidden, map[string]interface{}{ | ||||||
|  | 				"err": "Your account is disabled.", | ||||||
|  | 			}) | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
| 		results.UserName = user.Name | 		results.UserName = user.Name | ||||||
| 		if !user.KeepEmailPrivate { | 		if !user.KeepEmailPrivate { | ||||||
| 			results.UserEmail = user.Email | 			results.UserEmail = user.Email | ||||||
|  | |||||||
| @ -105,6 +105,10 @@ func HTTP(ctx *context.Context) { | |||||||
| 		ctx.NotFoundOrServerError("GetUserByName", models.IsErrUserNotExist, err) | 		ctx.NotFoundOrServerError("GetUserByName", models.IsErrUserNotExist, err) | ||||||
| 		return | 		return | ||||||
| 	} | 	} | ||||||
|  | 	if !owner.IsActive { | ||||||
|  | 		ctx.HandleText(http.StatusForbidden, "Repository cannot be accessed. You cannot push or open issues/pull-requests.") | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	repoExist := true | 	repoExist := true | ||||||
| 	repo, err := models.GetRepositoryByName(owner.ID, reponame) | 	repo, err := models.GetRepositoryByName(owner.ID, reponame) | ||||||
| @ -244,6 +248,11 @@ func HTTP(ctx *context.Context) { | |||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
|  | 		if !authUser.IsActive || authUser.ProhibitLogin { | ||||||
|  | 			ctx.HandleText(http.StatusForbidden, "Your account is disabled.") | ||||||
|  | 			return | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
| 		if repoExist { | 		if repoExist { | ||||||
| 			perm, err := models.GetUserRepoPermission(repo, authUser) | 			perm, err := models.GetUserRepoPermission(repo, authUser) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user