Skip to content

Commit

Permalink
Fix auth check bug (go-gitea#24382)
Browse files Browse the repository at this point in the history
Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324

`getAuthenticatedMeta` has checked them, these code are duplicated one.
And the first invokation has a wrong permission check. `DownloadHandle`
should require read permission but not write.
  • Loading branch information
lunny authored and GiteaBot committed Apr 27, 2023
1 parent e301e26 commit 98e570b
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 10 deletions.
10 changes: 0 additions & 10 deletions services/lfs/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) {
return
}

repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}

// Support resume download using Range header
var fromByte, toByte int64
toByte = meta.Size - 1
Expand Down Expand Up @@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) {
return
}

repository := getAuthenticatedRepository(ctx, rc, true)
if repository == nil {
return
}

contentStore := lfs_module.NewContentStore()
ok, err := contentStore.Verify(meta.Pointer)

Expand Down
41 changes: 41 additions & 0 deletions tests/integration/lfs_getobject_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"net/http/httptest"
"testing"

"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
git_model "code.gitea.io/gitea/models/git"
repo_model "code.gitea.io/gitea/models/repo"
Expand Down Expand Up @@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
return pointer.Oid
}

func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
assert.NoError(t, err)
oid := storeObjectInRepo(t, repo.ID, content)
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)

token := getUserToken(t, "user2", ts)

// Request OID
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
req.Header.Set("Accept-Encoding", "gzip")
req.SetBasicAuth("user2", token)
if extraHeader != nil {
for key, values := range *extraHeader {
for _, value := range values {
req.Header.Add(key, value)
}
}
}

resp := MakeRequest(t, req, expectedStatus)

return resp
}

func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
assert.NoError(t, err)
Expand Down Expand Up @@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) {
checkResponseTestContentEncoding(t, &content, resp, false)
}

func TestGetLFSSmallToken(t *testing.T) {
defer tests.PrepareTestEnv(t)()
content := []byte("A very small file\n")

resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
checkResponseTestContentEncoding(t, &content, resp, false)
}

func TestGetLFSSmallTokenFail(t *testing.T) {
defer tests.PrepareTestEnv(t)()
content := []byte("A very small file\n")

storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
}

func TestGetLFSLarge(t *testing.T) {
defer tests.PrepareTestEnv(t)()
content := make([]byte, web.GzipMinSize*10)
Expand Down

0 comments on commit 98e570b

Please sign in to comment.