Skip to content

Commit 717d0f5

Browse files
authored
Do some missing checks (#28423)
1 parent 4e879fe commit 717d0f5

File tree

3 files changed

+62
-3
lines changed

3 files changed

+62
-3
lines changed

routers/api/v1/api.go

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -790,6 +790,24 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC
790790
}
791791
}
792792

793+
func individualPermsChecker(ctx *context.APIContext) {
794+
// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
795+
if ctx.ContextUser.IsIndividual() {
796+
switch {
797+
case ctx.ContextUser.Visibility == api.VisibleTypePrivate:
798+
if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {
799+
ctx.NotFound("Visit Project", nil)
800+
return
801+
}
802+
case ctx.ContextUser.Visibility == api.VisibleTypeLimited:
803+
if ctx.Doer == nil {
804+
ctx.NotFound("Visit Project", nil)
805+
return
806+
}
807+
}
808+
}
809+
}
810+
793811
// check for and warn against deprecated authentication options
794812
func checkDeprecatedAuthMethods(ctx *context.APIContext) {
795813
if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
@@ -899,7 +917,7 @@ func Routes() *web.Route {
899917
}, reqSelfOrAdmin(), reqBasicOrRevProxyAuth())
900918

901919
m.Get("/activities/feeds", user.ListUserActivityFeeds)
902-
}, context_service.UserAssignmentAPI())
920+
}, context_service.UserAssignmentAPI(), individualPermsChecker)
903921
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser))
904922

905923
// Users (requires user scope)

routers/web/web.go

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -796,6 +796,24 @@ func registerRoutes(m *web.Route) {
796796
}
797797
}
798798

799+
individualPermsChecker := func(ctx *context.Context) {
800+
// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
801+
if ctx.ContextUser.IsIndividual() {
802+
switch {
803+
case ctx.ContextUser.Visibility == structs.VisibleTypePrivate:
804+
if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {
805+
ctx.NotFound("Visit Project", nil)
806+
return
807+
}
808+
case ctx.ContextUser.Visibility == structs.VisibleTypeLimited:
809+
if ctx.Doer == nil {
810+
ctx.NotFound("Visit Project", nil)
811+
return
812+
}
813+
}
814+
}
815+
}
816+
799817
// ***** START: Organization *****
800818
m.Group("/org", func() {
801819
m.Group("/{org}", func() {
@@ -976,11 +994,11 @@ func registerRoutes(m *web.Route) {
976994
return
977995
}
978996
})
979-
})
997+
}, reqUnitAccess(unit.TypeProjects, perm.AccessModeRead, true), individualPermsChecker)
980998

981999
m.Group("", func() {
9821000
m.Get("/code", user.CodeSearch)
983-
}, reqUnitAccess(unit.TypeCode, perm.AccessModeRead, false))
1001+
}, reqUnitAccess(unit.TypeCode, perm.AccessModeRead, false), individualPermsChecker)
9841002
}, ignSignIn, context_service.UserAssignmentWeb(), context.OrgAssignment()) // for "/{username}/-" (packages, projects, code)
9851003

9861004
m.Group("/{username}/{reponame}", func() {

tests/integration/project_test.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
// Copyright 2023 The Gitea Authors. All rights reserved.
2+
// SPDX-License-Identifier: MIT
3+
4+
package integration
5+
6+
import (
7+
"net/http"
8+
"testing"
9+
10+
"code.gitea.io/gitea/tests"
11+
)
12+
13+
func TestPrivateRepoProject(t *testing.T) {
14+
defer tests.PrepareTestEnv(t)()
15+
16+
// not logged in user
17+
req := NewRequest(t, "GET", "/user31/-/projects")
18+
MakeRequest(t, req, http.StatusNotFound)
19+
20+
sess := loginUser(t, "user1")
21+
req = NewRequest(t, "GET", "/user31/-/projects")
22+
sess.MakeRequest(t, req, http.StatusOK)
23+
}

0 commit comments

Comments
 (0)