Support clone private repository in runner

2025-07-21 04:45:02 +02:00 · 2022-11-14 14:11:47 +08:00 · 2022-11-14 14:11:47 +08:00 · f55253e81d
commit f55253e81d
parent d8b401ab06
2 changed files with 26 additions and 10 deletions
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@ -20,6 +20,7 @@ import (
 	"time"

 	"code.gitea.io/gitea/models/auth"
+	bots_model "code.gitea.io/gitea/models/bots"
 	"code.gitea.io/gitea/models/perm"
 	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
@ -164,7 +165,7 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			return
 		}

-		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true {
+		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && ctx.Data["IsBotToken"] != true {
 			_, err = auth.GetTwoFactorByUID(ctx.Doer.ID)
 			if err == nil {
 				// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
@ -182,20 +183,32 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 		}

 		if repoExist {
-			p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
-			if err != nil {
-				ctx.ServerError("GetUserRepoPermission", err)
-				return
-			}
-
 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
 				accessMode = perm.AccessModeRead
 			}

-			if !p.CanAccess(accessMode, unitType) {
-				ctx.PlainText(http.StatusForbidden, "User permission denied")
-				return
+			if ctx.Data["IsBotToken"] == true {
+				taskID := ctx.Data["BotTaskID"].(int64)
+				task, err := bots_model.GetTaskByID(ctx, taskID)
+				if err != nil {
+					ctx.ServerError("GetTaskByID", err)
+					return
+				}
+				if task.RepoID != repo.ID {
+					ctx.PlainText(http.StatusForbidden, "User permission denied")
+					return
+				}
+			} else {
+				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+				if err != nil {
+					ctx.ServerError("GetUserRepoPermission", err)
+					return
+				}
+				if !p.CanAccess(accessMode, unitType) {
+					ctx.PlainText(http.StatusForbidden, "User permission denied")
+					return
+				}
 			}

 			if !isPull && repo.IsMirror {
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@ -114,6 +114,9 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	if err == nil && task != nil && task.Status.IsRunning() {
 		log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)

+		store.GetData()["IsBotToken"] = true
+		store.GetData()["BotTaskID"] = task.ID
+
 		return bots_model.NewBotUser()
 	} else {
 		log.Error("GetRunnerByToken: %v", err)