2017-01-20 06:58:46 +00:00
|
|
|
// Copyright 2017 The Gitea Authors. All rights reserved.
|
2022-11-27 13:20:29 -05:00
|
|
|
// SPDX-License-Identifier: MIT
|
2017-01-20 06:58:46 +00:00
|
|
|
|
|
|
|
|
package repo
|
|
|
|
|
|
|
|
|
|
import (
|
2020-01-05 00:20:08 +01:00
|
|
|
"net/http"
|
2017-01-20 06:58:46 +00:00
|
|
|
|
2026-05-16 09:18:44 -07:00
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
2026-01-12 00:16:59 -08:00
|
|
|
issues_model "code.gitea.io/gitea/models/issues"
|
2022-05-11 18:09:36 +08:00
|
|
|
access_model "code.gitea.io/gitea/models/perm/access"
|
2021-11-19 21:39:57 +08:00
|
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
2026-01-12 00:16:59 -08:00
|
|
|
"code.gitea.io/gitea/models/unit"
|
2021-04-12 16:49:26 +02:00
|
|
|
"code.gitea.io/gitea/modules/httpcache"
|
2026-03-25 17:37:48 +01:00
|
|
|
"code.gitea.io/gitea/modules/httplib"
|
2017-01-20 06:58:46 +00:00
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
2020-08-18 12:23:45 +08:00
|
|
|
"code.gitea.io/gitea/modules/storage"
|
2021-09-08 23:19:30 +08:00
|
|
|
"code.gitea.io/gitea/services/attachment"
|
2024-02-27 15:12:22 +08:00
|
|
|
"code.gitea.io/gitea/services/context"
|
|
|
|
|
"code.gitea.io/gitea/services/context/upload"
|
2022-06-06 16:01:49 +08:00
|
|
|
repo_service "code.gitea.io/gitea/services/repository"
|
2017-01-20 06:58:46 +00:00
|
|
|
)
|
|
|
|
|
|
2026-05-16 09:18:44 -07:00
|
|
|
func attachmentReadScope(unitType unit.Type) (auth_model.AccessTokenScope, bool) {
|
|
|
|
|
switch unitType {
|
|
|
|
|
case unit.TypeIssues, unit.TypePullRequests:
|
|
|
|
|
return auth_model.AccessTokenScopeReadIssue, true
|
|
|
|
|
case unit.TypeReleases:
|
|
|
|
|
return auth_model.AccessTokenScopeReadRepository, true
|
|
|
|
|
default:
|
|
|
|
|
return "", false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-05 07:49:33 +02:00
|
|
|
// UploadIssueAttachment response for Issue/PR attachments
|
|
|
|
|
func UploadIssueAttachment(ctx *context.Context) {
|
2026-04-08 01:17:05 +08:00
|
|
|
uploadAttachment(ctx, ctx.Repo.Repository.ID, attachment.UploadAttachmentForIssue)
|
2017-01-20 06:58:46 +00:00
|
|
|
}
|
|
|
|
|
|
2020-10-05 07:49:33 +02:00
|
|
|
// UploadReleaseAttachment response for uploading release attachments
|
|
|
|
|
func UploadReleaseAttachment(ctx *context.Context) {
|
2026-04-08 01:17:05 +08:00
|
|
|
uploadAttachment(ctx, ctx.Repo.Repository.ID, attachment.UploadAttachmentForRelease)
|
2020-10-05 07:49:33 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UploadAttachment response for uploading attachments
|
2026-04-08 01:17:05 +08:00
|
|
|
func uploadAttachment(ctx *context.Context, repoID int64, uploadFunc attachment.UploadAttachmentFunc) {
|
2020-08-18 12:23:45 +08:00
|
|
|
if !setting.Attachment.Enabled {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusNotFound, "attachment is not enabled")
|
2017-01-20 06:58:46 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
file, header, err := ctx.Req.FormFile("file")
|
|
|
|
|
if err != nil {
|
2026-01-12 00:16:59 -08:00
|
|
|
ctx.ServerError("FormFile", err)
|
2017-01-20 06:58:46 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer file.Close()
|
|
|
|
|
|
2025-10-21 23:07:11 +08:00
|
|
|
uploaderFile := attachment.NewLimitedUploaderKnownSize(file, header.Size)
|
2026-04-08 01:17:05 +08:00
|
|
|
attach, err := uploadFunc(ctx, uploaderFile, &repo_model.Attachment{
|
2022-12-09 07:35:56 +01:00
|
|
|
Name: header.Filename,
|
|
|
|
|
UploaderID: ctx.Doer.ID,
|
|
|
|
|
RepoID: repoID,
|
|
|
|
|
})
|
2017-01-20 06:58:46 +00:00
|
|
|
if err != nil {
|
2021-09-08 23:19:30 +08:00
|
|
|
if upload.IsErrFileTypeForbidden(err) {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusBadRequest, err.Error())
|
2021-09-08 23:19:30 +08:00
|
|
|
return
|
|
|
|
|
}
|
2026-04-08 01:17:05 +08:00
|
|
|
ctx.ServerError("uploadAttachment(uploadFunc)", err)
|
2017-01-20 06:58:46 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Trace("New attachment uploaded: %s", attach.UUID)
|
2021-04-05 17:30:52 +02:00
|
|
|
ctx.JSON(http.StatusOK, map[string]string{
|
2017-01-20 06:58:46 +00:00
|
|
|
"uuid": attach.UUID,
|
|
|
|
|
})
|
|
|
|
|
}
|
2019-10-15 20:19:32 +08:00
|
|
|
|
|
|
|
|
// DeleteAttachment response for deleting issue's attachment
|
|
|
|
|
func DeleteAttachment(ctx *context.Context) {
|
2021-08-11 02:31:13 +02:00
|
|
|
file := ctx.FormString("file")
|
2022-05-20 22:08:52 +08:00
|
|
|
attach, err := repo_model.GetAttachmentByUUID(ctx, file)
|
2019-10-15 20:19:32 +08:00
|
|
|
if err != nil {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusBadRequest, err.Error())
|
2019-10-15 20:19:32 +08:00
|
|
|
return
|
|
|
|
|
}
|
2026-01-12 00:16:59 -08:00
|
|
|
|
|
|
|
|
if !ctx.IsSigned {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusForbidden)
|
2020-02-28 00:10:27 +01:00
|
|
|
return
|
|
|
|
|
}
|
2026-01-12 00:16:59 -08:00
|
|
|
|
|
|
|
|
if attach.RepoID != ctx.Repo.Repository.ID {
|
|
|
|
|
ctx.HTTPError(http.StatusBadRequest, "attachment does not belong to this repository")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ctx.Doer.ID != attach.UploaderID {
|
|
|
|
|
if attach.IssueID > 0 {
|
|
|
|
|
issue, err := issues_model.GetIssueByID(ctx, attach.IssueID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.ServerError("GetIssueByID", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
|
|
|
|
|
ctx.HTTPError(http.StatusForbidden)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else if attach.ReleaseID > 0 {
|
|
|
|
|
if !ctx.Repo.Permission.CanWrite(unit.TypeReleases) {
|
|
|
|
|
ctx.HTTPError(http.StatusForbidden)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if !ctx.Repo.Permission.IsAdmin() && !ctx.Repo.Permission.IsOwner() {
|
|
|
|
|
ctx.HTTPError(http.StatusForbidden)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-15 08:13:19 +02:00
|
|
|
err = repo_model.DeleteAttachment(ctx, attach, true)
|
2019-10-15 20:19:32 +08:00
|
|
|
if err != nil {
|
2026-01-12 00:16:59 -08:00
|
|
|
ctx.ServerError("DeleteAttachment", err)
|
2019-10-15 20:19:32 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-04-05 17:30:52 +02:00
|
|
|
ctx.JSON(http.StatusOK, map[string]string{
|
2019-10-15 20:19:32 +08:00
|
|
|
"uuid": attach.UUID,
|
|
|
|
|
})
|
|
|
|
|
}
|
2020-01-05 00:20:08 +01:00
|
|
|
|
2026-04-08 01:17:05 +08:00
|
|
|
// ServeAttachment serve attachments with the given UUID
|
2023-04-12 11:05:23 +02:00
|
|
|
func ServeAttachment(ctx *context.Context, uuid string) {
|
|
|
|
|
attach, err := repo_model.GetAttachmentByUUID(ctx, uuid)
|
2020-01-05 00:20:08 +01:00
|
|
|
if err != nil {
|
2021-11-19 21:39:57 +08:00
|
|
|
if repo_model.IsErrAttachmentNotExist(err) {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusNotFound)
|
2020-01-05 00:20:08 +01:00
|
|
|
} else {
|
|
|
|
|
ctx.ServerError("GetAttachmentByUUID", err)
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 11:37:53 -08:00
|
|
|
// prevent visiting attachment from other repository directly
|
2026-01-20 10:05:51 -08:00
|
|
|
// The check will be ignored before this code merged.
|
|
|
|
|
if attach.CreatedUnix > repo_model.LegacyAttachmentMissingRepoIDCutoff && ctx.Repo.Repository != nil && ctx.Repo.Repository.ID != attach.RepoID {
|
2026-01-14 11:37:53 -08:00
|
|
|
ctx.HTTPError(http.StatusNotFound)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-20 10:05:51 -08:00
|
|
|
unitType, repoID, err := repo_service.GetAttachmentLinkedTypeAndRepoID(ctx, attach)
|
2020-01-05 00:20:08 +01:00
|
|
|
if err != nil {
|
2026-01-20 10:05:51 -08:00
|
|
|
ctx.ServerError("GetAttachmentLinkedTypeAndRepoID", err)
|
2020-01-05 00:20:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 11:37:53 -08:00
|
|
|
if unitType == unit.TypeInvalid { // unlinked attachment can only be accessed by the uploader
|
2022-03-22 08:03:22 +01:00
|
|
|
if !(ctx.IsSigned && attach.UploaderID == ctx.Doer.ID) { // We block if not the uploader
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusNotFound)
|
2020-01-05 00:20:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
2026-01-14 11:37:53 -08:00
|
|
|
} else { // If we have the linked type, we need to check access
|
2026-05-16 09:18:44 -07:00
|
|
|
var (
|
|
|
|
|
perm access_model.Permission
|
|
|
|
|
repo = ctx.Repo.Repository
|
|
|
|
|
)
|
|
|
|
|
if repo == nil {
|
|
|
|
|
repo, err = repo_model.GetRepositoryByID(ctx, repoID)
|
2026-01-14 11:37:53 -08:00
|
|
|
if err != nil {
|
|
|
|
|
ctx.ServerError("GetRepositoryByID", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2026-03-29 11:21:14 +02:00
|
|
|
perm, err = access_model.GetDoerRepoPermission(ctx, repo, ctx.Doer)
|
2026-01-14 11:37:53 -08:00
|
|
|
if err != nil {
|
2026-03-29 11:21:14 +02:00
|
|
|
ctx.ServerError("GetDoerRepoPermission", err)
|
2026-01-14 11:37:53 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
perm = ctx.Repo.Permission
|
2020-01-05 00:20:08 +01:00
|
|
|
}
|
2026-01-14 11:37:53 -08:00
|
|
|
|
2020-01-05 00:20:08 +01:00
|
|
|
if !perm.CanRead(unitType) {
|
2025-02-17 14:13:17 +08:00
|
|
|
ctx.HTTPError(http.StatusNotFound)
|
2020-01-05 00:20:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
2026-05-16 09:18:44 -07:00
|
|
|
|
|
|
|
|
if requiredScope, ok := attachmentReadScope(unitType); ok {
|
|
|
|
|
context.CheckTokenScopes(ctx, repo, requiredScope)
|
|
|
|
|
if ctx.Written() {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-01-05 00:20:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-09-15 08:13:19 +02:00
|
|
|
if err := attach.IncreaseDownloadCount(ctx); err != nil {
|
2021-04-12 16:49:26 +02:00
|
|
|
ctx.ServerError("IncreaseDownloadCount", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-30 15:33:50 +08:00
|
|
|
if setting.Attachment.Storage.ServeDirect() {
|
2022-01-20 18:46:10 +01:00
|
|
|
// If we have a signed url (S3, object storage), redirect to this directly.
|
2026-03-22 05:26:13 +01:00
|
|
|
u, err := storage.Attachments.ServeDirectURL(attach.RelativePath(), attach.Name, ctx.Req.Method, nil)
|
2020-08-18 12:23:45 +08:00
|
|
|
|
|
|
|
|
if u != nil && err == nil {
|
|
|
|
|
ctx.Redirect(u.String())
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-01 21:32:35 +08:00
|
|
|
if httpcache.HandleGenericETagPrivateCache(ctx.Req, ctx.Resp, `"`+attach.UUID+`"`, attach.CreatedUnix.AsTimePtr()) {
|
2021-04-12 16:49:26 +02:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-20 18:46:10 +01:00
|
|
|
// If we have matched and access to release or issue
|
2020-08-18 12:23:45 +08:00
|
|
|
fr, err := storage.Attachments.Open(attach.RelativePath())
|
2020-01-05 00:20:08 +01:00
|
|
|
if err != nil {
|
|
|
|
|
ctx.ServerError("Open", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer fr.Close()
|
|
|
|
|
|
2026-03-25 17:37:48 +01:00
|
|
|
httplib.ServeUserContentByFile(ctx.Req, ctx.Resp, fr, httplib.ServeHeaderOptions{Filename: attach.Name})
|
2020-01-05 00:20:08 +01:00
|
|
|
}
|
2023-04-12 11:05:23 +02:00
|
|
|
|
|
|
|
|
// GetAttachment serve attachments
|
|
|
|
|
func GetAttachment(ctx *context.Context) {
|
2024-12-24 21:47:45 +08:00
|
|
|
ServeAttachment(ctx, ctx.PathParam("uuid"))
|
2023-04-12 11:05:23 +02:00
|
|
|
}
|