Ensure correct SSH permissions check for private and restricted users

Repositories owned by private users and organisations and pulls by restricted users need to have permissions checked. Previously Serv would simply assumed that if the user could log in and the repository was not private then it would be visible. Fix go-gitea#17364 Signed-off-by: Andrew Thornton <[email protected]>
zeripath · Oct 20, 2021 · 02836e1 · 02836e1
1 parent f494776
commit 02836e1
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/routers/private/serv.go b/routers/private/serv.go
@@ -279,7 +279,12 @@ func ServCommand(ctx *context.PrivateContext) {
 	}
 
 	// Permissions checking:
-	if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
+	if repoExist &&
+		(mode > models.AccessModeRead ||
+			repo.IsPrivate ||
+			owner.Visibility.IsPrivate() ||
+			user.IsRestricted ||
+			setting.Service.RequireSignInView) {
 		if key.Type == models.KeyTypeDeploy {
 			if deployKey.Mode < mode {
 				ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
@@ -289,7 +294,7 @@ func ServCommand(ctx *context.PrivateContext) {
 				return
 			}
 		} else {
-			// Because of special ref "refs/for" .. , need delay write permission check
+			// Because of the special ref "refs/for" we will need to delay write permission check
 			if git.SupportProcReceive && unitType == models.UnitTypeCode {
 				mode = models.AccessModeRead
 			}