Respect `REQUIRE_SIGNIN_VIEW` for packages (#20873)

Fix #20863

When REQUIRE_SIGNIN_VIEW = true, even with public repositories, you can only see them after you login. The packages should not be accessed without login.

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
tokarchuk/v1.18
KN4CK3R 2 years ago committed by GitHub
parent d9bc6881ef
commit 0a9a86b943
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 82
      modules/context/package.go
  2. 13
      tests/integration/api_packages_generic_test.go

@ -14,6 +14,7 @@ import (
"code.gitea.io/gitea/models/perm" "code.gitea.io/gitea/models/perm"
"code.gitea.io/gitea/models/unit" "code.gitea.io/gitea/models/unit"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/templates" "code.gitea.io/gitea/modules/templates"
) )
@ -54,69 +55,84 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
Owner: ctx.ContextUser, Owner: ctx.ContextUser,
} }
var err error
ctx.Package.AccessMode, err = determineAccessMode(ctx)
if err != nil {
errCb(http.StatusInternalServerError, "determineAccessMode", err)
return
}
packageType := ctx.Params("type")
name := ctx.Params("name")
version := ctx.Params("version")
if packageType != "" && name != "" && version != "" {
pv, err := packages_model.GetVersionByNameAndVersion(ctx, ctx.Package.Owner.ID, packages_model.Type(packageType), name, version)
if err != nil {
if err == packages_model.ErrPackageNotExist {
errCb(http.StatusNotFound, "GetVersionByNameAndVersion", err)
} else {
errCb(http.StatusInternalServerError, "GetVersionByNameAndVersion", err)
}
return
}
ctx.Package.Descriptor, err = packages_model.GetPackageDescriptor(ctx, pv)
if err != nil {
errCb(http.StatusInternalServerError, "GetPackageDescriptor", err)
return
}
}
}
func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
accessMode := perm.AccessModeNone
if setting.Service.RequireSignInView && ctx.Doer == nil {
return accessMode, nil
}
if ctx.Package.Owner.IsOrganization() { if ctx.Package.Owner.IsOrganization() {
org := organization.OrgFromUser(ctx.Package.Owner) org := organization.OrgFromUser(ctx.Package.Owner)
// 1. Get user max authorize level for the org (may be none, if user is not member of the org) // 1. Get user max authorize level for the org (may be none, if user is not member of the org)
if ctx.Doer != nil { if ctx.Doer != nil {
var err error var err error
ctx.Package.AccessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) accessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
if err != nil { if err != nil {
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err) return accessMode, err
return
} }
// If access mode is less than write check every team for more permissions // If access mode is less than write check every team for more permissions
if ctx.Package.AccessMode < perm.AccessModeWrite { if accessMode < perm.AccessModeWrite {
teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID) teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID)
if err != nil { if err != nil {
errCb(http.StatusInternalServerError, "GetUserOrgTeams", err) return accessMode, err
return
} }
for _, t := range teams { for _, t := range teams {
perm := t.UnitAccessModeCtx(ctx, unit.TypePackages) perm := t.UnitAccessModeCtx(ctx, unit.TypePackages)
if ctx.Package.AccessMode < perm { if accessMode < perm {
ctx.Package.AccessMode = perm accessMode = perm
} }
} }
} }
} }
// 2. If authorize level is none, check if org is visible to user // 2. If authorize level is none, check if org is visible to user
if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) { if accessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
ctx.Package.AccessMode = perm.AccessModeRead accessMode = perm.AccessModeRead
} }
} else { } else {
if ctx.Doer != nil && !ctx.Doer.IsGhost() { if ctx.Doer != nil && !ctx.Doer.IsGhost() {
// 1. Check if user is package owner // 1. Check if user is package owner
if ctx.Doer.ID == ctx.Package.Owner.ID { if ctx.Doer.ID == ctx.Package.Owner.ID {
ctx.Package.AccessMode = perm.AccessModeOwner accessMode = perm.AccessModeOwner
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic || ctx.Package.Owner.Visibility == structs.VisibleTypeLimited { // 2. Check if package owner is public or limited } else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic || ctx.Package.Owner.Visibility == structs.VisibleTypeLimited { // 2. Check if package owner is public or limited
ctx.Package.AccessMode = perm.AccessModeRead accessMode = perm.AccessModeRead
} }
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic { // 3. Check if package owner is public } else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic { // 3. Check if package owner is public
ctx.Package.AccessMode = perm.AccessModeRead accessMode = perm.AccessModeRead
}
}
packageType := ctx.Params("type")
name := ctx.Params("name")
version := ctx.Params("version")
if packageType != "" && name != "" && version != "" {
pv, err := packages_model.GetVersionByNameAndVersion(ctx, ctx.Package.Owner.ID, packages_model.Type(packageType), name, version)
if err != nil {
if err == packages_model.ErrPackageNotExist {
errCb(http.StatusNotFound, "GetVersionByNameAndVersion", err)
} else {
errCb(http.StatusInternalServerError, "GetVersionByNameAndVersion", err)
} }
return
} }
ctx.Package.Descriptor, err = packages_model.GetPackageDescriptor(ctx, pv) return accessMode, nil
if err != nil {
errCb(http.StatusInternalServerError, "GetPackageDescriptor", err)
return
}
}
} }
// PackageContexter initializes a package context for a request. // PackageContexter initializes a package context for a request.

@ -14,6 +14,7 @@ import (
"code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/packages"
"code.gitea.io/gitea/models/unittest" "code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/tests" "code.gitea.io/gitea/tests"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -126,6 +127,18 @@ func TestPackageGeneric(t *testing.T) {
req := NewRequest(t, "GET", url+"/not.found") req := NewRequest(t, "GET", url+"/not.found")
MakeRequest(t, req, http.StatusNotFound) MakeRequest(t, req, http.StatusNotFound)
}) })
t.Run("RequireSignInView", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
setting.Service.RequireSignInView = true
defer func() {
setting.Service.RequireSignInView = false
}()
req = NewRequest(t, "GET", url+"/dummy.bin")
MakeRequest(t, req, http.StatusUnauthorized)
})
}) })
t.Run("Delete", func(t *testing.T) { t.Run("Delete", func(t *testing.T) {

Loading…
Cancel
Save