Fix auth check bug (#24382)
Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write.
This commit is contained in:
parent
5141bbd9ba
commit
ecf1f2d3f6
|
@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
repository := getAuthenticatedRepository(ctx, rc, true)
|
|
||||||
if repository == nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Support resume download using Range header
|
// Support resume download using Range header
|
||||||
var fromByte, toByte int64
|
var fromByte, toByte int64
|
||||||
toByte = meta.Size - 1
|
toByte = meta.Size - 1
|
||||||
|
@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
repository := getAuthenticatedRepository(ctx, rc, true)
|
|
||||||
if repository == nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
contentStore := lfs_module.NewContentStore()
|
contentStore := lfs_module.NewContentStore()
|
||||||
ok, err := contentStore.Verify(meta.Pointer)
|
ok, err := contentStore.Verify(meta.Pointer)
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@ import (
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/models/auth"
|
||||||
"code.gitea.io/gitea/models/db"
|
"code.gitea.io/gitea/models/db"
|
||||||
git_model "code.gitea.io/gitea/models/git"
|
git_model "code.gitea.io/gitea/models/git"
|
||||||
repo_model "code.gitea.io/gitea/models/repo"
|
repo_model "code.gitea.io/gitea/models/repo"
|
||||||
|
@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
|
||||||
return pointer.Oid
|
return pointer.Oid
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
||||||
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
oid := storeObjectInRepo(t, repo.ID, content)
|
||||||
|
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
|
||||||
|
|
||||||
|
token := getUserToken(t, "user2", ts)
|
||||||
|
|
||||||
|
// Request OID
|
||||||
|
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
|
||||||
|
req.Header.Set("Accept-Encoding", "gzip")
|
||||||
|
req.SetBasicAuth("user2", token)
|
||||||
|
if extraHeader != nil {
|
||||||
|
for key, values := range *extraHeader {
|
||||||
|
for _, value := range values {
|
||||||
|
req.Header.Add(key, value)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resp := MakeRequest(t, req, expectedStatus)
|
||||||
|
|
||||||
|
return resp
|
||||||
|
}
|
||||||
|
|
||||||
func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
||||||
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) {
|
||||||
checkResponseTestContentEncoding(t, &content, resp, false)
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestGetLFSSmallToken(t *testing.T) {
|
||||||
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
content := []byte("A very small file\n")
|
||||||
|
|
||||||
|
resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
|
||||||
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGetLFSSmallTokenFail(t *testing.T) {
|
||||||
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
content := []byte("A very small file\n")
|
||||||
|
|
||||||
|
storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
|
||||||
|
}
|
||||||
|
|
||||||
func TestGetLFSLarge(t *testing.T) {
|
func TestGetLFSLarge(t *testing.T) {
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
content := make([]byte, web.GzipMinSize*10)
|
content := make([]byte, web.GzipMinSize*10)
|
||||||
|
|
Loading…
Reference in a new issue