Check permissions on repo lookup (#2357)

There was no permission check when looking up repos so you were able to get basic repo information even if you're not allowed to. This uses `session.MustPull` (and set repo/perms before) to fix this.
2025-09-19 23:46:59 +00:00 · 2023-08-30 16:35:34 +02:00
parent 91192a900a
commit e847cbadfa
3 changed files with 9 additions and 28 deletions
--- a/server/router/middleware/session/repo.go
+++ b/server/router/middleware/session/repo.go
@@ -18,6 +18,7 @@ import (
 	"errors"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
@@ -45,11 +46,10 @@ func Repo(c *gin.Context) *model.Repo {
 func SetRepo() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		var (
-			_store  = store.FromContext(c)
-			owner   = c.Param("owner")
-			name    = c.Param("name")
-			_repoID = c.Param("repo_id")
-			user    = User(c)
+			_store   = store.FromContext(c)
+			fullName = strings.TrimLeft(c.Param("repo_full_name"), "/")
+			_repoID  = c.Param("repo_id")
+			user     = User(c)
 		)

 		var repo *model.Repo
@@ -63,7 +63,7 @@ func SetRepo() gin.HandlerFunc {
 			}
 			repo, err = _store.GetRepo(repoID)
 		} else {
-			repo, err = _store.GetRepoName(owner + "/" + name)
+			repo, err = _store.GetRepoName(fullName)
 		}

 		if repo != nil {
@@ -73,11 +73,7 @@ func SetRepo() gin.HandlerFunc {
 		}

 		// debugging
-		log.Debug().Msgf("Cannot find repository %s/%s. %s",
-			owner,
-			name,
-			err.Error(),
-		)
+		log.Debug().Err(err).Msgf("Cannot find repository %s.", fullName)

 		if user == nil {
 			c.AbortWithStatus(http.StatusUnauthorized)