This commit is contained in:
@@ -6,6 +6,7 @@ package repo
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
issues_model "code.gitea.io/gitea/models/issues"
|
||||
access_model "code.gitea.io/gitea/models/perm/access"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
@@ -21,6 +22,17 @@ import (
|
||||
repo_service "code.gitea.io/gitea/services/repository"
|
||||
)
|
||||
|
||||
func attachmentReadScope(unitType unit.Type) (auth_model.AccessTokenScope, bool) {
|
||||
switch unitType {
|
||||
case unit.TypeIssues, unit.TypePullRequests:
|
||||
return auth_model.AccessTokenScopeReadIssue, true
|
||||
case unit.TypeReleases:
|
||||
return auth_model.AccessTokenScopeReadRepository, true
|
||||
default:
|
||||
return "", false
|
||||
}
|
||||
}
|
||||
|
||||
// UploadIssueAttachment response for Issue/PR attachments
|
||||
func UploadIssueAttachment(ctx *context.Context) {
|
||||
uploadAttachment(ctx, ctx.Repo.Repository.ID, attachment.UploadAttachmentForIssue)
|
||||
@@ -150,9 +162,12 @@ func ServeAttachment(ctx *context.Context, uuid string) {
|
||||
return
|
||||
}
|
||||
} else { // If we have the linked type, we need to check access
|
||||
var perm access_model.Permission
|
||||
if ctx.Repo.Repository == nil {
|
||||
repo, err := repo_model.GetRepositoryByID(ctx, repoID)
|
||||
var (
|
||||
perm access_model.Permission
|
||||
repo = ctx.Repo.Repository
|
||||
)
|
||||
if repo == nil {
|
||||
repo, err = repo_model.GetRepositoryByID(ctx, repoID)
|
||||
if err != nil {
|
||||
ctx.ServerError("GetRepositoryByID", err)
|
||||
return
|
||||
@@ -170,6 +185,13 @@ func ServeAttachment(ctx *context.Context, uuid string) {
|
||||
ctx.HTTPError(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
if requiredScope, ok := attachmentReadScope(unitType); ok {
|
||||
context.CheckTokenScopes(ctx, repo, requiredScope)
|
||||
if ctx.Written() {
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if err := attach.IncreaseDownloadCount(ctx); err != nil {
|
||||
|
||||
@@ -7,6 +7,7 @@ package repo
|
||||
import (
|
||||
"time"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
git_model "code.gitea.io/gitea/models/git"
|
||||
"code.gitea.io/gitea/modules/git"
|
||||
"code.gitea.io/gitea/modules/httpcache"
|
||||
@@ -18,6 +19,11 @@ import (
|
||||
"code.gitea.io/gitea/services/context"
|
||||
)
|
||||
|
||||
func checkDownloadTokenScope(ctx *context.Context) bool {
|
||||
context.CheckRepoScopedToken(ctx, ctx.Repo.Repository, auth_model.Read)
|
||||
return !ctx.Written()
|
||||
}
|
||||
|
||||
// ServeBlobOrLFS download a git.Blob redirecting to LFS if necessary
|
||||
func ServeBlobOrLFS(ctx *context.Context, blob *git.Blob, lastModified *time.Time) error {
|
||||
if httpcache.HandleGenericETagPrivateCache(ctx.Req, ctx.Resp, `"`+blob.ID.String()+`"`, lastModified) {
|
||||
@@ -88,6 +94,10 @@ func getBlobForEntry(ctx *context.Context) (*git.Blob, *time.Time) {
|
||||
|
||||
// SingleDownload download a file by repos path
|
||||
func SingleDownload(ctx *context.Context) {
|
||||
if !checkDownloadTokenScope(ctx) {
|
||||
return
|
||||
}
|
||||
|
||||
blob, lastModified := getBlobForEntry(ctx)
|
||||
if blob == nil {
|
||||
return
|
||||
@@ -100,6 +110,10 @@ func SingleDownload(ctx *context.Context) {
|
||||
|
||||
// SingleDownloadOrLFS download a file by repos path redirecting to LFS if necessary
|
||||
func SingleDownloadOrLFS(ctx *context.Context) {
|
||||
if !checkDownloadTokenScope(ctx) {
|
||||
return
|
||||
}
|
||||
|
||||
blob, lastModified := getBlobForEntry(ctx)
|
||||
if blob == nil {
|
||||
return
|
||||
@@ -112,6 +126,10 @@ func SingleDownloadOrLFS(ctx *context.Context) {
|
||||
|
||||
// DownloadByID download a file by sha1 ID
|
||||
func DownloadByID(ctx *context.Context) {
|
||||
if !checkDownloadTokenScope(ctx) {
|
||||
return
|
||||
}
|
||||
|
||||
blob, err := ctx.Repo.GitRepo.GetBlob(ctx.PathParam("sha"))
|
||||
if err != nil {
|
||||
if git.IsErrNotExist(err) {
|
||||
@@ -128,6 +146,10 @@ func DownloadByID(ctx *context.Context) {
|
||||
|
||||
// DownloadByIDOrLFS download a file by sha1 ID taking account of LFS
|
||||
func DownloadByIDOrLFS(ctx *context.Context) {
|
||||
if !checkDownloadTokenScope(ctx) {
|
||||
return
|
||||
}
|
||||
|
||||
blob, err := ctx.Repo.GitRepo.GetBlob(ctx.PathParam("sha"))
|
||||
if err != nil {
|
||||
if git.IsErrNotExist(err) {
|
||||
|
||||
Reference in New Issue
Block a user