From 641d481c383e671e914b38b77a95cdce6790fb45 Mon Sep 17 00:00:00 2001 From: Lauris BH Date: Wed, 4 Apr 2018 20:06:21 +0300 Subject: [PATCH] Correctly check http git access rights for reverse proxy authorized users (#3721) (#3743) --- routers/repo/http.go | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/routers/repo/http.go b/routers/repo/http.go index 08ccf3ed65..e4e26e4f09 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -184,33 +184,33 @@ func HTTP(ctx *context.Context) { return } } + } - if !isPublicPull { - has, err := models.HasAccess(authUser.ID, repo, accessMode) - if err != nil { - ctx.ServerError("HasAccess", err) - return - } else if !has { - if accessMode == models.AccessModeRead { - has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite) - if err != nil { - ctx.ServerError("HasAccess2", err) - return - } else if !has { - ctx.HandleText(http.StatusForbidden, "User permission denied") - return - } - } else { + if !isPublicPull { + has, err := models.HasAccess(authUser.ID, repo, accessMode) + if err != nil { + ctx.ServerError("HasAccess", err) + return + } else if !has { + if accessMode == models.AccessModeRead { + has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite) + if err != nil { + ctx.ServerError("HasAccess2", err) + return + } else if !has { ctx.HandleText(http.StatusForbidden, "User permission denied") return } - } - - if !isPull && repo.IsMirror { - ctx.HandleText(http.StatusForbidden, "mirror repository is read-only") + } else { + ctx.HandleText(http.StatusForbidden, "User permission denied") return } } + + if !isPull && repo.IsMirror { + ctx.HandleText(http.StatusForbidden, "mirror repository is read-only") + return + } } if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {