github/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-19 16:04:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
519b8d6d88a1f09b797e78f69d01410d4e2996c0
gitea/services
History
Giteabot 519b8d6d88 fix(security): enforce wiki git writes and LFS token access at request time (#37695) (#37714) 
Backport #37695 by @lunny

This PR fixes two permission-checking gaps in Git and LFS request
handling.

## What it changes

- keep wiki Git HTTP pushes on the normal write-permission path, even
when proc-receive support is enabled
- revalidate LFS bearer token requests against the current user state
and current repository permissions before allowing access
- add regression coverage for unauthorized wiki HTTP pushes
- add LFS tests for blocked users, revoked repository access, read-only
upload attempts, and valid write access

## Why

- wiki repositories should not inherit the relaxed refs/for handling
used for normal code repositories
- LFS authorization tokens should not remain usable after a user is
disabled or loses repository access

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-16 06:58:28 +00:00
..
actions
fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692) (#37718)
2026-05-16 07:02:14 +02:00
agit
fix: Invalid UTF-8 commit messages in JSON API responses (#37542) (#37585)
2026-05-07 16:22:09 +00:00
asymkey
attachment
Fix various problems (#37129)
2026-04-08 01:17:05 +08:00
auth
Fix basic auth bug (#37503)
2026-05-02 10:58:40 +00:00
automerge
automergequeue
context
fix(git): Fix smart http request scope bug (#37583) (#37605)
2026-05-08 09:14:41 -07:00
contexttest
convert
fix(actions): report individual step status in workflow job API response (#37592) (#37598)
2026-05-08 00:14:45 +02:00
cron
doctor
fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692) (#37718)
2026-05-16 07:02:14 +02:00
externalaccount
feed
forms
Fix update branch protection order (#37508) (#37513)
2026-05-02 19:10:50 +00:00
git
Compare dropdown fails when selecting branch with no common merge-base (#37470) (#37472)
2026-05-08 19:08:36 +00:00
gitdiff
indexer
issue
lfs
fix(security): enforce wiki git writes and LFS token access at request time (#37695) (#37714)
2026-05-16 06:58:28 +00:00
mailer
fix: treat email addresses case-insensitively (#37600) (#37611)
2026-05-08 18:32:25 +00:00
markup
migrations
fix: use consistent GetUser family functions (#37553) (#37589)
2026-05-07 15:43:45 +00:00
mirror
notify
oauth2_provider
org
Fix an issue where changing an organization’s visibility caused problems when users had forked its repositories. (#37324) (#37344)
2026-04-21 19:22:35 +00:00
packages
Add support for RPM Errata (updateinfo.xml) (#37125)
2026-04-08 00:39:53 +08:00
projects
Fix org team assignee/reviewer lookups for team member permissions (#37365) (#37391)
2026-04-23 21:15:53 +02:00
pull
fix: Invalid UTF-8 commit messages in JSON API responses (#37542) (#37585)
2026-05-07 16:22:09 +00:00
release
repository
fix(repo): /generate must sync the branch table for the new repo (#37693) (#37712)
2026-05-16 01:54:48 +08:00
secrets
task
feat(api): encrypt AWS creds (#37679) (#37713)
2026-05-15 15:58:19 +02:00
uinotification
user
versioned_migration
webhook
Enhance GetActionWorkflow to support fallback references (#37189) (#37283)
2026-04-18 21:13:54 +00:00
webtheme
wiki