From 02836e10c1941c27f39b262a5fa65e37e2c2eb34 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 20 Oct 2021 20:01:26 +0100
Subject: [PATCH] Ensure correct SSH permissions check for private and
 restricted users

Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/private/serv.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index aae2a872292c5..8a2e96e15c4c7 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -279,7 +279,12 @@ func ServCommand(ctx *context.PrivateContext) {
 	}
 
 	// Permissions checking:
-	if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
+	if repoExist &&
+		(mode > models.AccessModeRead ||
+			repo.IsPrivate ||
+			owner.Visibility.IsPrivate() ||
+			user.IsRestricted ||
+			setting.Service.RequireSignInView) {
 		if key.Type == models.KeyTypeDeploy {
 			if deployKey.Mode < mode {
 				ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
@@ -289,7 +294,7 @@ func ServCommand(ctx *context.PrivateContext) {
 				return
 			}
 		} else {
-			// Because of special ref "refs/for" .. , need delay write permission check
+			// Because of the special ref "refs/for" we will need to delay write permission check
 			if git.SupportProcReceive && unitType == models.UnitTypeCode {
 				mode = models.AccessModeRead
 			}