davrot/forgejo_backup
1
0
Fork 0
mirror of https://codeberg.org/davrot/forgejo.git synced 2025-06-05 18:00:02 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fix bug when a token is given public only

Browse source 
Port of https://github.com/go-gitea/gitea/pull/32204

(cherry picked from commit d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e)

Conflicts:
  routers/api/v1/api.go
	services/context/api.go
  trivial context conflicts
(cherry picked from commit a052d2b602)

Conflicts:
	routers/api/v1/user/user.go
  trivial context conflict (search by email is not in v9.0)
This commit is contained in:
Lunny Xiao 2024-10-08 17:51:09 +08:00 committed by Earl Warren
parent 0496e72d15
commit ea5a8c7809
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
11 changed files with 174 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

14
routers/api/packages/api.go
View file

@ -65,6 +65,20 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
return
}
// check if scope only applies to public resources
publicOnly, err := scope.PublicOnly()
if err != nil {
ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
return
}
if publicOnly {
if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public packages")
return
}
}
}
}