mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-19 03:21:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
59db4154ebe82877ebb765c2d45352fbb69f736d
gitea/routers/web/repo
History
Lunny Xiao f9b7b65371 fix(security): enforce wiki git writes and LFS token access at request time (#37695) 
This PR fixes two permission-checking gaps in Git and LFS request
handling.

## What it changes

- keep wiki Git HTTP pushes on the normal write-permission path, even
when proc-receive support is enabled
- revalidate LFS bearer token requests against the current user state
and current repository permissions before allowing access
- add regression coverage for unauthorized wiki HTTP pushes
- add LFS tests for blocked users, revoked repository access, read-only
upload attempts, and valid write access

## Why

- wiki repositories should not inherit the relaxed refs/for handling
used for normal code repositories
- LFS authorization tokens should not remain usable after a user is
disabled or loses repository access

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-15 08:12:59 +00:00
..
actions
fix: Sort action run jobs by JobID and Name with matrix examples (#37046)
2026-05-13 07:30:22 +00:00
setting
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
activity.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
attachment.go
Fix various problems (#37129)
2026-04-08 01:17:05 +08:00
blame.go
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
branch.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
code_frequency.go
Hide activity contributors, recent commits and code frequrency left tabs if there is no code permission (#34053)
2025-03-28 21:04:40 -07:00
commit.go
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
common_recentbranches.go
Fix issue label deletion with Actions tokens (#37013)
2026-03-29 09:21:14 +00:00
compare_test.go
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
compare.go
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
contributors.go
Fix incorrect ref commit ID usage (#33331)
2025-01-20 07:43:49 +00:00
download.go
Feature non-zipped actions artifacts (action v7) (#36786)
2026-03-26 00:37:48 +08:00
editor_apply_patch.go
Replace Monaco with CodeMirror (#36764)
2026-03-31 21:50:45 +00:00
editor_cherry_pick.go
fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
2026-05-07 16:19:45 +02:00
editor_error.go
Refactor flash message and remove SanitizeHTML template func (#37179)
2026-04-12 10:17:25 +08:00
editor_fork.go
Edit file workflow for creating a fork and proposing changes (#34240)
2025-06-22 12:43:43 +00:00
editor_preview.go
Use full-file highlighting for diff sections (#36561)
2026-02-10 03:29:28 +00:00
editor_test.go
Remove wrong "git.DefaultContext" (#35364)
2025-08-27 16:31:21 +00:00
editor_uploader.go
fix attachment file size limit in server backend (#35519)
2025-10-21 15:07:11 +00:00
editor_util.go
Replace Monaco with CodeMirror (#36764)
2026-03-31 21:50:45 +00:00
editor.go
Replace Monaco with CodeMirror (#36764)
2026-03-31 21:50:45 +00:00
fork.go
Edit file workflow for creating a fork and proposing changes (#34240)
2025-06-22 12:43:43 +00:00
githttp_test.go
Enable testifylint rules (#34075)
2025-03-31 01:53:48 -04:00
githttp.go
fix(security): enforce wiki git writes and LFS token access at request time (#37695)
2026-05-15 08:12:59 +00:00
helper.go
Refactor error system (#33610)
2025-02-16 22:13:17 -08:00
issue_comment.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
issue_content_history.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
issue_dependency.go
Fix issue label deletion with Actions tokens (#37013)
2026-03-29 09:21:14 +00:00
issue_label_test.go
Validate hex colors when creating/editing labels (#34623)
2025-06-07 11:25:08 +03:00
issue_label.go
Validate hex colors when creating/editing labels (#34623)
2025-06-07 11:25:08 +03:00
issue_list.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
issue_lock.go
Add API routes to lock and unlock issues (#34165)
2025-04-21 00:43:43 +00:00
issue_new.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
issue_page_meta.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
issue_pin.go
Move issue pin to an standalone table for querying performance (#33452)
2025-02-17 11:28:37 -08:00
issue_poster.go
fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (#36597)
2026-03-04 21:23:17 +08:00
issue_stopwatch.go
fix(issue): Replace stopwatch toggle with explicit start/stop actions (#34818)
2025-06-25 07:22:58 +08:00
issue_suggestions.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
issue_test.go
Implement FSFE REUSE for golang files (#21840)
2022-11-27 18:20:29 +00:00
issue_timetrack.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
issue_view.go
Refactor pull request view (7) (#37524)
2026-05-04 20:13:38 +00:00
issue_watch.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
issue.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
main_test.go
make writing main test easier (#27270)
2023-09-28 01:38:53 +00:00
mention.go
Load mentionValues asynchronously (#36739)
2026-03-07 12:37:37 -08:00
middlewares_test.go
Fix diff view style handling (#36324)
2026-01-09 04:37:16 +00:00
middlewares.go
Refactor compare diff/pull page (1) (#37481)
2026-04-29 18:32:46 +00:00
migrate.go
Deprecate RenderWithErr (#36769)
2026-02-27 12:38:44 +00:00
milestone.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
packages.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
projects_test.go
Clarify path param naming (#32969)
2024-12-24 13:47:45 +00:00
projects.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
pull_merge_box.go
Refactor pull request view (7) (#37524)
2026-05-04 20:13:38 +00:00
pull_merge_form.go
Refactor pull request view (7) (#37524)
2026-05-04 20:13:38 +00:00
pull_review_test.go
Refactor template render (#36438)
2026-01-24 05:11:49 +00:00
pull_review.go
Refactor compare diff/pull page (1) (#37481)
2026-04-29 18:32:46 +00:00
pull.go
Fix various problems (#37547)
2026-05-05 15:54:07 +00:00
recent_commits.go
Hide activity contributors, recent commits and code frequrency left tabs if there is no code permission (#34053)
2025-03-28 21:04:40 -07:00
release_test.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
release.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
render.go
Rename CurrentRefPath to CurrentRefSubURL (#37453)
2026-04-28 00:34:17 +00:00
repo.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
search.go
Fix CodeQL code scanning alerts (#36858)
2026-03-08 14:35:50 +00:00
star.go
Fix inconsistent disabled styling on logged-out repo header buttons (#37406)
2026-04-27 17:33:10 +00:00
topic.go
Move context from modules to services (#29440)
2024-02-27 08:12:22 +01:00
transfer.go
Fix Repository transferring page (#37277)
2026-04-19 17:57:51 +00:00
treelist_test.go
fix some file icon ui (#36078)
2025-12-04 19:47:23 +01:00
treelist.go
Refactor ls-tree and git path related problems (#35858)
2025-11-05 17:48:38 +00:00
view_file.go
Rename CurrentRefPath to CurrentRefSubURL (#37453)
2026-04-28 00:34:17 +00:00
view_home_test.go
Fix repo file list partial reloading for submodules (#35183)
2025-07-31 09:34:51 +08:00
view_home.go
chore: introduce HTMLBuilder (#37688)
2026-05-13 17:06:53 +00:00
view_readme_test.go
Fix README symlink resolution in subdirectories like .github (#36775)
2026-03-01 05:33:08 +00:00
view_readme.go
Rename CurrentRefPath to CurrentRefSubURL (#37453)
2026-04-28 00:34:17 +00:00
view_test.go
Implement FSFE REUSE for golang files (#21840)
2022-11-27 18:20:29 +00:00
view.go
refactor: use named Permission field in Repository struct instead of anonymous embedding (#37441)
2026-04-26 20:18:28 +00:00
watch.go
Fix inconsistent disabled styling on logged-out repo header buttons (#37406)
2026-04-27 17:33:10 +00:00
webgit.go
Support choose email when creating a commit via web UI (more) (#33445)
2025-01-31 02:36:18 +00:00
wiki_test.go
Move HasWiki to repository service package (#33912)
2025-09-01 11:12:58 -07:00
wiki.go
Refactor compare diff/pull page (1) (#37481)
2026-04-29 18:32:46 +00:00