USEFULL/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-05-24 00:12:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

repo: users have access to base repository can also view forks (#6261)

Browse Source
This commit is contained in:
ᴜɴᴋɴᴡᴏɴ 2020-08-22 13:17:45 +08:00 committed by GitHub
parent bc8428ca42
commit 178b73fecd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -55,6 +55,7 @@ All notable changes to Gogs are documented in this file.
- Disallow multiple tokens with same name. [#5587](https://github.com/gogs/gogs/issues/5587) [#5820](https://github.com/gogs/gogs/pull/5820)
- Enable Federated Avatar Lookup could cause server to crash. [#5848](https://github.com/gogs/gogs/issues/5848)
- Private repositories are hidden in the organization's view. [#5869](https://github.com/gogs/gogs/issues/5869)
- Users have access to base repository cannot view commits in forks. [#5878](https://github.com/gogs/gogs/issues/5878)
- Server error when changing email address in user settings page. [#5899](https://github.com/gogs/gogs/issues/5899)
- Fall back to use RFC 3339 as time layout when misconfigured. [#6098](https://github.com/gogs/gogs/issues/6098)
- Unable to update team with server error. [#6185](https://github.com/gogs/gogs/issues/6185)

19
internal/context/repo.go
View File

@ -166,11 +166,11 @@ func RepoAssignment(pages ...bool) macaron.Handler {
c.Data["RepoLink"] = c.Repo.RepoLink
c.Data["RepoRelPath"] = c.Repo.Owner.Name + "/" + c.Repo.Repository.Name
// Admin has super access.
// Admin has super access
if c.IsLogged && c.User.IsAdmin {
c.Repo.AccessMode = db.AccessModeOwner
} else {
mode, err := db.UserAccessMode(c.UserID(), repo)
mode, err := db.UserAccessMode(c.UserID(), c.Repo.Repository)
if err != nil {
c.Error(err, "get user access mode")
return
@ -178,6 +178,21 @@ func RepoAssignment(pages ...bool) macaron.Handler {
c.Repo.AccessMode = mode
}
// If the authenticated user has no direct access, see if the repository is a fork
// and whether the user has access to the base repository.
if c.Repo.AccessMode == db.AccessModeNone && c.Repo.Repository.IsFork {
mode, err := db.UserAccessMode(c.UserID(), c.Repo.Repository.BaseRepo)
if err != nil {
c.Error(err, "get user access mode of base repository")
return
}
// Users shouldn't have indirect access level higher than write.
if mode > db.AccessModeWrite {
mode = db.AccessModeWrite
}
c.Repo.AccessMode = mode
}
// Check access
if c.Repo.AccessMode == db.AccessModeNone {
// Redirect to any accessible page if not yet on it