Fix permission check on http push

2025-04-08 17:05:45 +02:00 · 2022-12-12 14:52:00 +08:00 · 2022-12-12 14:52:00 +08:00 · 705fbb46d5
commit 705fbb46d5
parent 59c3707da2
5 changed files with 15 additions and 9 deletions
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -185,6 +185,7 @@ Gitea or set your environment appropriately.`, "")
 	userID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
+	actionPerm, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionPerm), 10, 64)

 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@ -194,6 +195,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
+		ActionPerm:                      int(actionPerm),
 	}

 	scanner := bufio.NewScanner(os.Stdin)
--- a/modules/private/hook.go
+++ b/modules/private/hook.go
@ -57,6 +57,7 @@ type HookOptions struct {
 	PullRequestID                   int64
 	DeployKeyID                     int64 // if the pusher is a DeployKey, then UserID is the repo's org user.
 	IsWiki                          bool
+	ActionPerm                      int
 }

 // SSHLogOption ssh log options
--- a/modules/repository/env.go
+++ b/modules/repository/env.go
@ -27,6 +27,7 @@ const (
 	EnvPRID         = "GITEA_PR_ID"
 	EnvIsInternal   = "GITEA_INTERNAL_PUSH"
 	EnvAppURL       = "GITEA_ROOT_URL"
+	EnvActionPerm   = "GITEA_ACTION_PERM"
 )

 // InternalPushingEnvironment returns an os environment to switch off hooks on push
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@ -466,7 +466,7 @@ func (ctx *preReceiveContext) loadPusherAndPermission() bool {

 	if ctx.opts.UserID == user_model.ActionsUserID {
 		ctx.user = user_model.NewActionsUser()
-		ctx.userPerm.AccessMode = perm_model.AccessModeAdmin
+		ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
 		if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
 			log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
 			ctx.JSON(http.StatusInternalServerError, private.Response{
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@ -181,6 +181,14 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			return
 		}

+		environ = []string{
+			repo_module.EnvRepoUsername + "=" + username,
+			repo_module.EnvRepoName + "=" + reponame,
+			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
+			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
+			repo_module.EnvAppURL + "=" + setting.AppURL,
+		}
+
 		if repoExist {
 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
@ -204,11 +212,13 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeRead))
 				} else {
 					if accessMode > perm.AccessModeWrite {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeWrite))
 				}
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
@ -229,14 +239,6 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			}
 		}

-		environ = []string{
-			repo_module.EnvRepoUsername + "=" + username,
-			repo_module.EnvRepoName + "=" + reponame,
-			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
-			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
-			repo_module.EnvAppURL + "=" + setting.AppURL,
-		}
-
 		if !ctx.Doer.KeepEmailPrivate {
 			environ = append(environ, repo_module.EnvPusherEmail+"="+ctx.Doer.Email)
 		}