Skip to content

Commit

Permalink
Check IsActionsToken for LFS authentication (#23841) (#23875)
Browse files Browse the repository at this point in the history
Backport #23841 by @Zettat123

Close #23824 

Actions cannot fetch LFS objects from private repos because we don't
check if the user is the `ActionUser`.

Co-authored-by: Zettat123 <zettat123@gmail.com>
  • Loading branch information
GiteaBot and Zettat123 authored Apr 2, 2023
1 parent 026167f commit fe7caa0
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion services/lfs/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"strconv"
"strings"

actions_model "code.gitea.io/gitea/models/actions"
git_model "code.gitea.io/gitea/models/git"
"code.gitea.io/gitea/models/perm"
access_model "code.gitea.io/gitea/models/perm/access"
Expand Down Expand Up @@ -495,10 +496,27 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
accessMode = perm.AccessModeWrite
}

if ctx.Data["IsActionsToken"] == true {
taskID := ctx.Data["ActionsTaskID"].(int64)
task, err := actions_model.GetTaskByID(ctx, taskID)
if err != nil {
log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
return false
}
if task.RepoID != repository.ID {
return false
}

if task.IsForkPullRequest {
return accessMode <= perm.AccessModeRead
}
return accessMode <= perm.AccessModeWrite
}

// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
if err != nil {
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository)
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
return false
}

Expand Down

0 comments on commit fe7caa0

Please sign in to comment.