Fix package access for admins and inactive users (#21580) (#21592)

Backport of #21580

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
tokarchuk/v1.17
KN4CK3R 2 years ago committed by GitHub
parent b0a057f1c0
commit 5bc3fbd511
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      integrations/api_packages_container_test.go
  2. 22
      integrations/api_packages_test.go
  3. 9
      modules/context/package.go
  4. 2
      routers/api/packages/api.go

@ -433,6 +433,10 @@ func TestPackageContainer(t *testing.T) {
assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length")) assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest")) assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
addTokenAuthHeader(req, anonymousToken)
MakeRequest(t, req, http.StatusOK)
}) })
t.Run("GetBlob", func(t *testing.T) { t.Run("GetBlob", func(t *testing.T) {

@ -24,6 +24,7 @@ import (
func TestPackageAPI(t *testing.T) { func TestPackageAPI(t *testing.T) {
defer prepareTestEnv(t)() defer prepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}).(*user_model.User) user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}).(*user_model.User)
session := loginUser(t, user.Name) session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session)
@ -143,6 +144,27 @@ func TestPackageAPI(t *testing.T) {
}) })
} }
func TestPackageAccess(t *testing.T) {
defer prepareTestEnv(t)()
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}).(*user_model.User)
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}).(*user_model.User)
uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
AddBasicAuthHeader(req, doer.Name)
MakeRequest(t, req, expectedStatus)
}
uploadPackage(user, inactive, http.StatusUnauthorized)
uploadPackage(inactive, inactive, http.StatusUnauthorized)
uploadPackage(inactive, user, http.StatusUnauthorized)
uploadPackage(admin, inactive, http.StatusCreated)
uploadPackage(admin, user, http.StatusCreated)
}
func TestPackageCleanup(t *testing.T) { func TestPackageCleanup(t *testing.T) {
defer prepareTestEnv(t)() defer prepareTestEnv(t)()

@ -83,12 +83,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
} }
func determineAccessMode(ctx *Context) (perm.AccessMode, error) { func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
accessMode := perm.AccessModeNone
if setting.Service.RequireSignInView && ctx.Doer == nil { if setting.Service.RequireSignInView && ctx.Doer == nil {
return accessMode, nil return perm.AccessModeNone, nil
} }
if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
return perm.AccessModeNone, nil
}
accessMode := perm.AccessModeNone
if ctx.Package.Owner.IsOrganization() { if ctx.Package.Owner.IsOrganization() {
org := organization.OrgFromUser(ctx.Package.Owner) org := organization.OrgFromUser(ctx.Package.Owner)

@ -55,6 +55,7 @@ func Routes() *web.Route {
authGroup := auth.NewGroup(authMethods...) authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) { r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
}) })
r.Group("/{username}", func() { r.Group("/{username}", func() {
@ -256,6 +257,7 @@ func ContainerRoutes() *web.Route {
authGroup := auth.NewGroup(authMethods...) authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) { r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
}) })
r.Get("", container.ReqContainerAccess, container.DetermineSupport) r.Get("", container.ReqContainerAccess, container.DetermineSupport)

Loading…
Cancel
Save