Backport #37695 by @lunny This PR fixes two permission-checking gaps in Git and LFS request handling. ## What it changes - keep wiki Git HTTP pushes on the normal write-permission path, even when proc-receive support is enabled - revalidate LFS bearer token requests against the current user state and current repository permissions before allowing access - add regression coverage for unauthorized wiki HTTP pushes - add LFS tests for blocked users, revoked repository access, read-only upload attempts, and valid write access ## Why - wiki repositories should not inherit the relaxed refs/for handling used for normal code repositories - LFS authorization tokens should not remain usable after a user is disabled or loses repository access --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
@@ -180,8 +180,8 @@ func httpBase(ctx *context.Context, optGitService ...string) *serviceHandler {
|
||||
}
|
||||
|
||||
if repoExist {
|
||||
// Because of special ref "refs/for" (agit) , need delay write permission check
|
||||
if git.DefaultFeatures().SupportProcReceive {
|
||||
// Only the main code repo accepts refs/for pushes, so wiki pushes must keep write checks.
|
||||
if git.DefaultFeatures().SupportProcReceive && !isWiki {
|
||||
accessMode = perm.AccessModeRead
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user