finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix package access for admins and inactive users (#21580)

Browse source 
I noticed an admin is not allowed to upload packages for other users
because `ctx.IsSigned` was not set.
I added a check for `user.IsActive` and `user.ProhibitLogin` too because
both was not checked. Tests enforce this now.

Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
KN4CK3R 2022-10-24 21:23:25 +02:00 committed by GitHub
parent 49a4464160
commit 7c11a73833
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 34 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
routers/api/packages/api.go
View file

@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route {
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
})
r.Group("/{username}", func() {
@ -316,6 +317,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
})
r.Get("", container.ReqContainerAccess, container.DetermineSupport)