Fix auth check bug (#24382)
Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write.
This commit is contained in:
parent
5141bbd9ba
commit
ecf1f2d3f6
|
@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
repository := getAuthenticatedRepository(ctx, rc, true)
|
||||
if repository == nil {
|
||||
return
|
||||
}
|
||||
|
||||
// Support resume download using Range header
|
||||
var fromByte, toByte int64
|
||||
toByte = meta.Size - 1
|
||||
|
@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
repository := getAuthenticatedRepository(ctx, rc, true)
|
||||
if repository == nil {
|
||||
return
|
||||
}
|
||||
|
||||
contentStore := lfs_module.NewContentStore()
|
||||
ok, err := contentStore.Verify(meta.Pointer)
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@ import (
|
|||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/db"
|
||||
git_model "code.gitea.io/gitea/models/git"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
|
@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
|
|||
return pointer.Oid
|
||||
}
|
||||
|
||||
func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
||||
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
||||
assert.NoError(t, err)
|
||||
oid := storeObjectInRepo(t, repo.ID, content)
|
||||
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
|
||||
|
||||
token := getUserToken(t, "user2", ts)
|
||||
|
||||
// Request OID
|
||||
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
|
||||
req.Header.Set("Accept-Encoding", "gzip")
|
||||
req.SetBasicAuth("user2", token)
|
||||
if extraHeader != nil {
|
||||
for key, values := range *extraHeader {
|
||||
for _, value := range values {
|
||||
req.Header.Add(key, value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resp := MakeRequest(t, req, expectedStatus)
|
||||
|
||||
return resp
|
||||
}
|
||||
|
||||
func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
||||
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
||||
assert.NoError(t, err)
|
||||
|
@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) {
|
|||
checkResponseTestContentEncoding(t, &content, resp, false)
|
||||
}
|
||||
|
||||
func TestGetLFSSmallToken(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
content := []byte("A very small file\n")
|
||||
|
||||
resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
|
||||
checkResponseTestContentEncoding(t, &content, resp, false)
|
||||
}
|
||||
|
||||
func TestGetLFSSmallTokenFail(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
content := []byte("A very small file\n")
|
||||
|
||||
storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
|
||||
}
|
||||
|
||||
func TestGetLFSLarge(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
content := make([]byte, web.GzipMinSize*10)
|
||||
|
|
Loading…
Reference in a new issue