Skip to content

Commit

Permalink
Fix package access for admins and inactive users (#21580)
Browse files Browse the repository at this point in the history 
I noticed an admin is not allowed to upload packages for other users
because `ctx.IsSigned` was not set.
I added a check for `user.IsActive` and `user.ProhibitLogin` too because
both was not checked. Tests enforce this now.

Co-authored-by: Lauris BH <lauris@nix.lv>
  • Loading branch information
@KN4CK3R @lafriks
KN4CK3R and lafriks authored Oct 24, 2022
1 parent 49a4464 commit 7c11a73
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 3 deletions.
9 changes: 6 additions & 3 deletions modules/context/package.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
}

func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
accessMode := perm.AccessModeNone

if setting.Service.RequireSignInView && ctx.Doer == nil {
return accessMode, nil
return perm.AccessModeNone, nil
}

if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
return perm.AccessModeNone, nil
}

accessMode := perm.AccessModeNone
if ctx.Package.Owner.IsOrganization() {
org := organization.OrgFromUser(ctx.Package.Owner)

Expand Down
2 changes: 2 additions & 0 deletions routers/api/packages/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route {
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
})

r.Group("/{username}", func() {
Expand Down Expand Up @@ -316,6 +317,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
ctx.IsSigned = ctx.Doer != nil
})

r.Get("", container.ReqContainerAccess, container.DetermineSupport)
Expand Down
4 changes: 4 additions & 0 deletions tests/integration/api_packages_container_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,10 @@ func TestPackageContainer(t *testing.T) {

assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))

req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
addTokenAuthHeader(req, anonymousToken)
MakeRequest(t, req, http.StatusOK)
})

t.Run("GetBlob", func(t *testing.T) {
Expand Down
22 changes: 22 additions & 0 deletions tests/integration/api_packages_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (

func TestPackageAPI(t *testing.T) {
defer tests.PrepareTestEnv(t)()

user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
Expand Down Expand Up @@ -144,6 +145,27 @@ func TestPackageAPI(t *testing.T) {
})
}

func TestPackageAccess(t *testing.T) {
defer tests.PrepareTestEnv(t)()

admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})

uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
AddBasicAuthHeader(req, doer.Name)
MakeRequest(t, req, expectedStatus)
}

uploadPackage(user, inactive, http.StatusUnauthorized)
uploadPackage(inactive, inactive, http.StatusUnauthorized)
uploadPackage(inactive, user, http.StatusUnauthorized)
uploadPackage(admin, inactive, http.StatusCreated)
uploadPackage(admin, user, http.StatusCreated)
}

func TestPackageCleanup(t *testing.T) {
defer tests.PrepareTestEnv(t)()

Expand Down

0 comments on commit 7c11a73

Please sign in to comment.