Skip to content

Commit

Permalink
Fix missing authorization check on pull for public repos of private/l…
Browse files Browse the repository at this point in the history
…imited org (go-gitea#11656) (go-gitea#11683)

Fixes go-gitea#11651

(cherry picked from commit 02fa329)
  • Loading branch information
CirnoT authored May 29, 2020
1 parent 801f4b9 commit 95af609
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions routers/repo/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/process"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil"
repo_service "code.gitea.io/gitea/services/repository"
)
Expand Down Expand Up @@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
environ []string
)

// don't allow anonymous pulls if organization is not public
if isPublicPull {
if err := repo.GetOwner(); err != nil {
ctx.ServerError("GetOwner", err)
return
}

askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
}

// check access
if askAuth {
authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
Expand Down

0 comments on commit 95af609

Please sign in to comment.