Check IsActionsToken for LFS authentication (#23841) (#23875)

Backport #23841 by @Zettat123 Close #23824 Actions cannot fetch LFS objects from private repos because we don't check if the user is the `ActionUser`. Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-11-01 15:19:09 +01:00 · 2023-04-02 16:30:33 -04:00 · 2023-04-02 16:30:33 -04:00 · fe7caa05cc
commit fe7caa05cc
parent 026167f854
1 changed files with 19 additions and 1 deletions
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@ -18,6 +18,7 @@ import (
 	"strconv"
 	"strings"

+	actions_model "code.gitea.io/gitea/models/actions"
 	git_model "code.gitea.io/gitea/models/git"
 	"code.gitea.io/gitea/models/perm"
 	access_model "code.gitea.io/gitea/models/perm/access"
@ -495,10 +496,27 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 		accessMode = perm.AccessModeWrite
 	}

+	if ctx.Data["IsActionsToken"] == true {
+		taskID := ctx.Data["ActionsTaskID"].(int64)
+		task, err := actions_model.GetTaskByID(ctx, taskID)
+		if err != nil {
+			log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
+			return false
+		}
+		if task.RepoID != repository.ID {
+			return false
+		}
+
+		if task.IsForkPullRequest {
+			return accessMode <= perm.AccessModeRead
+		}
+		return accessMode <= perm.AccessModeWrite
+	}
+
 	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
 	perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 	if err != nil {
-		log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository)
+		log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
 		return false
 	}