Always set userID on LFS authentication (#7224)

* Always set userID on LFS authentication

Fix #5478
Fix #7219

* Deploy keys should only be able to read their repos

cmd/serv.go

@@ -219,8 +219,9 @@ func runServ(c *cli.Context) error {
 	var (
 		keyID  int64
 		user   *models.User
+		userID int64
 	)
-	if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
+
 	keys := strings.Split(c.Args()[0], "-")
 	if len(keys) != 2 {
 		fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
@@ -231,8 +232,8 @@ func runServ(c *cli.Context) error {
 		fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
 	}
 	keyID = key.ID
+	userID = key.OwnerID
 
-		// Check deploy key or user key.
 	if key.Type == models.KeyTypeDeploy {
 		// Now we have to get the deploy key for this repo
 		deployKey, err := private.GetDeployKey(key.ID, repo.ID)
@@ -258,7 +259,9 @@ func runServ(c *cli.Context) error {
 		// so for now use the owner
 		os.Setenv(models.EnvPusherName, username)
 		os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
-		} else {
+		userID = repo.OwnerID
+	} else if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
+		// Check deploy key or user key.
 		user, err = private.GetUserByKeyID(key.ID)
 		if err != nil {
 			fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
@@ -286,7 +289,6 @@ func runServ(c *cli.Context) error {
 		os.Setenv(models.EnvPusherName, user.Name)
 		os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID))
 	}
-	}
 
 	//LFS token authentication
 	if verb == lfsAuthenticateVerb {
@@ -299,8 +301,8 @@ func runServ(c *cli.Context) error {
 			"exp":  now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
 			"nbf":  now.Unix(),
 		}
-		if user != nil {
-			claims["user"] = user.ID
+		if userID > 0 {
+			claims["user"] = userID
 		}
 		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)