From 95af6096fbd65d9b28a8a4b6ecbb2beb883183d6 Mon Sep 17 00:00:00 2001 From: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com> Date: Fri, 29 May 2020 23:12:21 +0200 Subject: [PATCH] Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683) Fixes #11651 (cherry picked from commit 02fa329a7c2190d947cd5e02ea90d2d4406653be) --- routers/repo/http.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/routers/repo/http.go b/routers/repo/http.go index 9c0834e5c3f..0c746e311e5 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -29,6 +29,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/process" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/timeutil" repo_service "code.gitea.io/gitea/services/repository" ) @@ -135,6 +136,16 @@ func HTTP(ctx *context.Context) { environ []string ) + // don't allow anonymous pulls if organization is not public + if isPublicPull { + if err := repo.GetOwner(); err != nil { + ctx.ServerError("GetOwner", err) + return + } + + askAuth = askAuth || (repo.Owner.Visibility != structs.VisibleTypePublic) + } + // check access if askAuth { authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)