mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-25 09:34:29 +02:00 
			
		
		
		
	Fix auth check bug (#24382)
Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write.
This commit is contained in:
		
							parent
							
								
									5141bbd9ba
								
							
						
					
					
						commit
						ecf1f2d3f6
					
				| @ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) { | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	repository := getAuthenticatedRepository(ctx, rc, true) | ||||
| 	if repository == nil { | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	// Support resume download using Range header | ||||
| 	var fromByte, toByte int64 | ||||
| 	toByte = meta.Size - 1 | ||||
| @ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) { | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	repository := getAuthenticatedRepository(ctx, rc, true) | ||||
| 	if repository == nil { | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	contentStore := lfs_module.NewContentStore() | ||||
| 	ok, err := contentStore.Verify(meta.Pointer) | ||||
| 
 | ||||
|  | ||||
| @ -11,6 +11,7 @@ import ( | ||||
| 	"net/http/httptest" | ||||
| 	"testing" | ||||
| 
 | ||||
| 	"code.gitea.io/gitea/models/auth" | ||||
| 	"code.gitea.io/gitea/models/db" | ||||
| 	git_model "code.gitea.io/gitea/models/git" | ||||
| 	repo_model "code.gitea.io/gitea/models/repo" | ||||
| @ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string | ||||
| 	return pointer.Oid | ||||
| } | ||||
| 
 | ||||
| func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { | ||||
| 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") | ||||
| 	assert.NoError(t, err) | ||||
| 	oid := storeObjectInRepo(t, repo.ID, content) | ||||
| 	defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid) | ||||
| 
 | ||||
| 	token := getUserToken(t, "user2", ts) | ||||
| 
 | ||||
| 	// Request OID | ||||
| 	req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test") | ||||
| 	req.Header.Set("Accept-Encoding", "gzip") | ||||
| 	req.SetBasicAuth("user2", token) | ||||
| 	if extraHeader != nil { | ||||
| 		for key, values := range *extraHeader { | ||||
| 			for _, value := range values { | ||||
| 				req.Header.Add(key, value) | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	resp := MakeRequest(t, req, expectedStatus) | ||||
| 
 | ||||
| 	return resp | ||||
| } | ||||
| 
 | ||||
| func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { | ||||
| 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") | ||||
| 	assert.NoError(t, err) | ||||
| @ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) { | ||||
| 	checkResponseTestContentEncoding(t, &content, resp, false) | ||||
| } | ||||
| 
 | ||||
| func TestGetLFSSmallToken(t *testing.T) { | ||||
| 	defer tests.PrepareTestEnv(t)() | ||||
| 	content := []byte("A very small file\n") | ||||
| 
 | ||||
| 	resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK) | ||||
| 	checkResponseTestContentEncoding(t, &content, resp, false) | ||||
| } | ||||
| 
 | ||||
| func TestGetLFSSmallTokenFail(t *testing.T) { | ||||
| 	defer tests.PrepareTestEnv(t)() | ||||
| 	content := []byte("A very small file\n") | ||||
| 
 | ||||
| 	storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden) | ||||
| } | ||||
| 
 | ||||
| func TestGetLFSLarge(t *testing.T) { | ||||
| 	defer tests.PrepareTestEnv(t)() | ||||
| 	content := make([]byte, web.GzipMinSize*10) | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user