nune/gitea
nune/gitea
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Fix bug when a token is given public only (#32204) (#32218)

Browse source 
Backport #32204
This commit is contained in:
Lunny Xiao 2024-10-09 10:16:37 +08:00 committed by GitHub
parent 4815c4aeae
commit 56051d9b3b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 178 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

14
routers/api/packages/api.go
View file

@ -63,6 +63,20 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
return
}
// check if scope only applies to public resources
publicOnly, err := scope.PublicOnly()
if err != nil {
ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
return
}
if publicOnly {
if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public packages")
return
}
}
}
}