gitea
Зеркало из https://github.com/go-gitea/gitea
1// Copyright 2018 The Gitea Authors. All rights reserved.
2// SPDX-License-Identifier: MIT
3
4package context5
6import (7"net/http"8
9auth_model "code.gitea.io/gitea/models/auth"10repo_model "code.gitea.io/gitea/models/repo"11"code.gitea.io/gitea/models/unit"12"code.gitea.io/gitea/modules/log"13)
14
15// RequireRepoAdmin returns a middleware for requiring repository admin permission
16func RequireRepoAdmin() func(ctx *Context) {17return func(ctx *Context) {18if !ctx.IsSigned || !ctx.Repo.IsAdmin() {19ctx.NotFound(ctx.Req.URL.RequestURI(), nil)20return21}22}23}
24
25// RequireRepoWriter returns a middleware for requiring repository write to the specify unitType
26func RequireRepoWriter(unitType unit.Type) func(ctx *Context) {27return func(ctx *Context) {28if !ctx.Repo.CanWrite(unitType) {29ctx.NotFound(ctx.Req.URL.RequestURI(), nil)30return31}32}33}
34
35// CanEnableEditor checks if the user is allowed to write to the branch of the repo
36func CanEnableEditor() func(ctx *Context) {37return func(ctx *Context) {38if !ctx.Repo.CanWriteToBranch(ctx, ctx.Doer, ctx.Repo.BranchName) {39ctx.NotFound("CanWriteToBranch denies permission", nil)40return41}42}43}
44
45// RequireRepoWriterOr returns a middleware for requiring repository write to one of the unit permission
46func RequireRepoWriterOr(unitTypes ...unit.Type) func(ctx *Context) {47return func(ctx *Context) {48for _, unitType := range unitTypes {49if ctx.Repo.CanWrite(unitType) {50return51}52}53ctx.NotFound(ctx.Req.URL.RequestURI(), nil)54}55}
56
57// RequireRepoReader returns a middleware for requiring repository read to the specify unitType
58func RequireRepoReader(unitType unit.Type) func(ctx *Context) {59return func(ctx *Context) {60if !ctx.Repo.CanRead(unitType) {61if log.IsTrace() {62if ctx.IsSigned {63log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+64"User in Repo has Permissions: %-+v",65ctx.Doer,66unitType,67ctx.Repo.Repository,68ctx.Repo.Permission)69} else {70log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+71"Anonymous user in Repo has Permissions: %-+v",72unitType,73ctx.Repo.Repository,74ctx.Repo.Permission)75}76}77ctx.NotFound(ctx.Req.URL.RequestURI(), nil)78return79}80}81}
82
83// RequireRepoReaderOr returns a middleware for requiring repository write to one of the unit permission
84func RequireRepoReaderOr(unitTypes ...unit.Type) func(ctx *Context) {85return func(ctx *Context) {86for _, unitType := range unitTypes {87if ctx.Repo.CanRead(unitType) {88return89}90}91if log.IsTrace() {92var format string93var args []any94if ctx.IsSigned {95format = "Permission Denied: User %-v cannot read ["96args = append(args, ctx.Doer)97} else {98format = "Permission Denied: Anonymous user cannot read ["99}100for _, unit := range unitTypes {101format += "%-v, "102args = append(args, unit)103}104
105format = format[:len(format)-2] + "] in Repo %-v\n" +106"User in Repo has Permissions: %-+v"107args = append(args, ctx.Repo.Repository, ctx.Repo.Permission)108log.Trace(format, args...)109}110ctx.NotFound(ctx.Req.URL.RequestURI(), nil)111}112}
113
114// CheckRepoScopedToken check whether personal access token has repo scope
115func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {116if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {117return118}119
120scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)121if ok { // it's a personal access token but not oauth2 token122var scopeMatched bool123
124requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)125
126// check if scope only applies to public resources127publicOnly, err := scope.PublicOnly()128if err != nil {129ctx.ServerError("HasScope", err)130return131}132
133if publicOnly && repo.IsPrivate {134ctx.Error(http.StatusForbidden)135return136}137
138scopeMatched, err = scope.HasScope(requiredScopes...)139if err != nil {140ctx.ServerError("HasScope", err)141return142}143
144if !scopeMatched {145ctx.Error(http.StatusForbidden)146return147}148}149}
150