Fix permission check on http push

2022-12-12 14:52:00 +08:00
parent 59c3707da2
commit 705fbb46d5
5 changed files with 15 additions and 9 deletions
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@@ -466,7 +466,7 @@ func (ctx *preReceiveContext) loadPusherAndPermission() bool {

 	if ctx.opts.UserID == user_model.ActionsUserID {
 		ctx.user = user_model.NewActionsUser()
-		ctx.userPerm.AccessMode = perm_model.AccessModeAdmin
+		ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
 		if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
 			log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
 			ctx.JSON(http.StatusInternalServerError, private.Response{
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -181,6 +181,14 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			return
 		}

+		environ = []string{
+			repo_module.EnvRepoUsername + "=" + username,
+			repo_module.EnvRepoName + "=" + reponame,
+			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
+			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
+			repo_module.EnvAppURL + "=" + setting.AppURL,
+		}
+
 		if repoExist {
 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
@@ -204,11 +212,13 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeRead))
 				} else {
 					if accessMode > perm.AccessModeWrite {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeWrite))
 				}
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
@@ -229,14 +239,6 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			}
 		}

-		environ = []string{
-			repo_module.EnvRepoUsername + "=" + username,
-			repo_module.EnvRepoName + "=" + reponame,
-			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
-			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
-			repo_module.EnvAppURL + "=" + setting.AppURL,
-		}
-
 		if !ctx.Doer.KeepEmailPrivate {
 			environ = append(environ, repo_module.EnvPusherEmail+"="+ctx.Doer.Email)
 		}