Fix missing authorization check on pull for public repos of private/limited org (#11656)

Fixes #11651
4 years ago · 02fa329a7c
parent 0d9f9f7de1
commit 02fa329a7c
1 changed files with 11 additions and 0 deletions
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@ -29,6 +29,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) {
 		environ      []string
 	)

+	// don't allow anonymous pulls if organization is not public
+	if isPublicPull {
+		if err := repo.GetOwner(); err != nil {
+			ctx.ServerError("GetOwner", err)
+			return
+		}
+
+		askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic)
+	}
+
 	// check access
 	if askAuth {
 		authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)