Skip to content

Commit 4422cc8

Browse files
Zettat123Zettat123
committed
check IsActionsToken
1 parent d5feb10 commit 4422cc8

File tree

1 file changed

+36
-16
lines changed

1 file changed

+36
-16
lines changed

services/lfs/server.go

Lines changed: 36 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717
"strconv"
1818
"strings"
1919

20+
actions_model "code.gitea.io/gitea/models/actions"
2021
git_model "code.gitea.io/gitea/models/git"
2122
"code.gitea.io/gitea/models/perm"
2223
access_model "code.gitea.io/gitea/models/perm/access"
@@ -495,25 +496,44 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
495496
accessMode = perm.AccessModeWrite
496497
}
497498

498-
// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
499-
perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
500-
if err != nil {
501-
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository)
502-
return false
503-
}
499+
if ctx.Data["IsActionsToken"] == true {
500+
taskID := ctx.Data["ActionsTaskID"].(int64)
501+
task, err := actions_model.GetTaskByID(ctx, taskID)
502+
if err != nil {
503+
log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
504+
return false
505+
}
506+
if task.RepoID != repository.ID {
507+
return false
508+
}
504509

505-
canRead := perm.CanAccess(accessMode, unit.TypeCode)
506-
if canRead && (!requireSigned || ctx.IsSigned) {
507-
return true
508-
}
510+
if task.IsForkPullRequest {
511+
return accessMode <= perm.AccessModeRead
512+
} else {
513+
return accessMode <= perm.AccessModeWrite
514+
}
515+
} else {
516+
// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
517+
perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
518+
if err != nil {
519+
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
520+
return false
521+
}
509522

510-
user, err := parseToken(ctx, authorization, repository, accessMode)
511-
if err != nil {
512-
// Most of these are Warn level - the true internal server errors are logged in parseToken already
513-
log.Warn("Authentication failure for provided token with Error: %v", err)
514-
return false
523+
canRead := perm.CanAccess(accessMode, unit.TypeCode)
524+
if canRead && (!requireSigned || ctx.IsSigned) {
525+
return true
526+
}
527+
528+
user, err := parseToken(ctx, authorization, repository, accessMode)
529+
if err != nil {
530+
// Most of these are Warn level - the true internal server errors are logged in parseToken already
531+
log.Warn("Authentication failure for provided token with Error: %v", err)
532+
return false
533+
}
534+
ctx.Doer = user
515535
}
516-
ctx.Doer = user
536+
517537
return true
518538
}
519539

0 commit comments

Comments
 (0)