13
3
Fork 0
Wiki Issues 89 resources competences Projects 8 Code Pull Requests Releases Activity
Browse Source

Ensure correct SSH permissions check for private and restricted users (#17370) (#17373) 

Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
tags/v1.15.5
6543 4 years ago committed by GitHub
parent
79a3d277e5
commit
79f0b1a50b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      routers/private/serv.go

7
routers/private/serv.go
Unescape View File

@ -278,7 +278,12 @@ func ServCommand(ctx *context.PrivateContext) {
} }
// Permissions checking: // Permissions checking:
if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) { if repoExist &&
(mode > models.AccessModeRead ||
repo.IsPrivate ||
owner.Visibility.IsPrivate() ||
user.IsRestricted ||
setting.Service.RequireSignInView) {
if key.Type == models.KeyTypeDeploy { if key.Type == models.KeyTypeDeploy {
if deployKey.Mode < mode { if deployKey.Mode < mode {
ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{ ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{

Write Preview
Loading…
Cancel
Save