Always set userID on LFS authentication (#7224)
* Always set userID on LFS authentication Fix #5478 Fix #7219 * Deploy keys should only be able to read their repos
This commit is contained in:
parent
dbd0a2e6dc
commit
5d1a8d23b0
14
cmd/serv.go
14
cmd/serv.go
|
@ -219,8 +219,9 @@ func runServ(c *cli.Context) error {
|
||||||
var (
|
var (
|
||||||
keyID int64
|
keyID int64
|
||||||
user *models.User
|
user *models.User
|
||||||
|
userID int64
|
||||||
)
|
)
|
||||||
if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
|
|
||||||
keys := strings.Split(c.Args()[0], "-")
|
keys := strings.Split(c.Args()[0], "-")
|
||||||
if len(keys) != 2 {
|
if len(keys) != 2 {
|
||||||
fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
|
fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
|
||||||
|
@ -231,8 +232,8 @@ func runServ(c *cli.Context) error {
|
||||||
fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
|
fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
|
||||||
}
|
}
|
||||||
keyID = key.ID
|
keyID = key.ID
|
||||||
|
userID = key.OwnerID
|
||||||
|
|
||||||
// Check deploy key or user key.
|
|
||||||
if key.Type == models.KeyTypeDeploy {
|
if key.Type == models.KeyTypeDeploy {
|
||||||
// Now we have to get the deploy key for this repo
|
// Now we have to get the deploy key for this repo
|
||||||
deployKey, err := private.GetDeployKey(key.ID, repo.ID)
|
deployKey, err := private.GetDeployKey(key.ID, repo.ID)
|
||||||
|
@ -258,7 +259,9 @@ func runServ(c *cli.Context) error {
|
||||||
// so for now use the owner
|
// so for now use the owner
|
||||||
os.Setenv(models.EnvPusherName, username)
|
os.Setenv(models.EnvPusherName, username)
|
||||||
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
|
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
|
||||||
} else {
|
userID = repo.OwnerID
|
||||||
|
} else if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
|
||||||
|
// Check deploy key or user key.
|
||||||
user, err = private.GetUserByKeyID(key.ID)
|
user, err = private.GetUserByKeyID(key.ID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
|
fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
|
||||||
|
@ -286,7 +289,6 @@ func runServ(c *cli.Context) error {
|
||||||
os.Setenv(models.EnvPusherName, user.Name)
|
os.Setenv(models.EnvPusherName, user.Name)
|
||||||
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID))
|
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID))
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
//LFS token authentication
|
//LFS token authentication
|
||||||
if verb == lfsAuthenticateVerb {
|
if verb == lfsAuthenticateVerb {
|
||||||
|
@ -299,8 +301,8 @@ func runServ(c *cli.Context) error {
|
||||||
"exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
|
"exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
|
||||||
"nbf": now.Unix(),
|
"nbf": now.Unix(),
|
||||||
}
|
}
|
||||||
if user != nil {
|
if userID > 0 {
|
||||||
claims["user"] = user.ID
|
claims["user"] = userID
|
||||||
}
|
}
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue