mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 06:45:43 +03:00
Fix package access for admins and inactive users (#21580)
I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
parent
49a4464160
commit
7c11a73833
4 changed files with 34 additions and 3 deletions
|
@ -85,12 +85,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
|
func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
|
||||||
accessMode := perm.AccessModeNone
|
|
||||||
|
|
||||||
if setting.Service.RequireSignInView && ctx.Doer == nil {
|
if setting.Service.RequireSignInView && ctx.Doer == nil {
|
||||||
return accessMode, nil
|
return perm.AccessModeNone, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
|
||||||
|
return perm.AccessModeNone, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
accessMode := perm.AccessModeNone
|
||||||
if ctx.Package.Owner.IsOrganization() {
|
if ctx.Package.Owner.IsOrganization() {
|
||||||
org := organization.OrgFromUser(ctx.Package.Owner)
|
org := organization.OrgFromUser(ctx.Package.Owner)
|
||||||
|
|
||||||
|
|
|
@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
authGroup := auth.NewGroup(authMethods...)
|
authGroup := auth.NewGroup(authMethods...)
|
||||||
r.Use(func(ctx *context.Context) {
|
r.Use(func(ctx *context.Context) {
|
||||||
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||||
|
ctx.IsSigned = ctx.Doer != nil
|
||||||
})
|
})
|
||||||
|
|
||||||
r.Group("/{username}", func() {
|
r.Group("/{username}", func() {
|
||||||
|
@ -316,6 +317,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
|
||||||
authGroup := auth.NewGroup(authMethods...)
|
authGroup := auth.NewGroup(authMethods...)
|
||||||
r.Use(func(ctx *context.Context) {
|
r.Use(func(ctx *context.Context) {
|
||||||
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||||
|
ctx.IsSigned = ctx.Doer != nil
|
||||||
})
|
})
|
||||||
|
|
||||||
r.Get("", container.ReqContainerAccess, container.DetermineSupport)
|
r.Get("", container.ReqContainerAccess, container.DetermineSupport)
|
||||||
|
|
|
@ -471,6 +471,10 @@ func TestPackageContainer(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
|
assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
|
||||||
assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
|
assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
|
||||||
|
|
||||||
|
req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
|
||||||
|
addTokenAuthHeader(req, anonymousToken)
|
||||||
|
MakeRequest(t, req, http.StatusOK)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("GetBlob", func(t *testing.T) {
|
t.Run("GetBlob", func(t *testing.T) {
|
||||||
|
|
|
@ -25,6 +25,7 @@ import (
|
||||||
|
|
||||||
func TestPackageAPI(t *testing.T) {
|
func TestPackageAPI(t *testing.T) {
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
|
||||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
||||||
session := loginUser(t, user.Name)
|
session := loginUser(t, user.Name)
|
||||||
token := getTokenForLoggedInUser(t, session)
|
token := getTokenForLoggedInUser(t, session)
|
||||||
|
@ -144,6 +145,27 @@ func TestPackageAPI(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPackageAccess(t *testing.T) {
|
||||||
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
|
||||||
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||||
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
||||||
|
inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
|
||||||
|
|
||||||
|
uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
|
||||||
|
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
|
||||||
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
|
||||||
|
AddBasicAuthHeader(req, doer.Name)
|
||||||
|
MakeRequest(t, req, expectedStatus)
|
||||||
|
}
|
||||||
|
|
||||||
|
uploadPackage(user, inactive, http.StatusUnauthorized)
|
||||||
|
uploadPackage(inactive, inactive, http.StatusUnauthorized)
|
||||||
|
uploadPackage(inactive, user, http.StatusUnauthorized)
|
||||||
|
uploadPackage(admin, inactive, http.StatusCreated)
|
||||||
|
uploadPackage(admin, user, http.StatusCreated)
|
||||||
|
}
|
||||||
|
|
||||||
func TestPackageCleanup(t *testing.T) {
|
func TestPackageCleanup(t *testing.T) {
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue