Correctly check http git access rights for reverse proxy authorized users (#3721)

routers/repo/http.go

@@ -184,33 +184,33 @@ func HTTP(ctx *context.Context) {
 					return
 				}
 			}
+		}
 
-			if !isPublicPull {
-				has, err := models.HasAccess(authUser.ID, repo, accessMode)
-				if err != nil {
-					ctx.ServerError("HasAccess", err)
-					return
-				} else if !has {
-					if accessMode == models.AccessModeRead {
-						has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
-						if err != nil {
-							ctx.ServerError("HasAccess2", err)
-							return
-						} else if !has {
-							ctx.HandleText(http.StatusForbidden, "User permission denied")
-							return
-						}
-					} else {
+		if !isPublicPull {
+			has, err := models.HasAccess(authUser.ID, repo, accessMode)
+			if err != nil {
+				ctx.ServerError("HasAccess", err)
+				return
+			} else if !has {
+				if accessMode == models.AccessModeRead {
+					has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
+					if err != nil {
+						ctx.ServerError("HasAccess2", err)
+						return
+					} else if !has {
 						ctx.HandleText(http.StatusForbidden, "User permission denied")
 						return
 					}
-				}
-
-				if !isPull && repo.IsMirror {
-					ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+				} else {
+					ctx.HandleText(http.StatusForbidden, "User permission denied")
 					return
 				}
 			}
+
+			if !isPull && repo.IsMirror {
+				ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+				return
+			}
 		}
 
 		if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {