MokoConsulting/MokoGitea
1
0
Fork 0
Code Issues 143 Pull Requests Releases 96 Wiki Activity

SECURITY: fix release download gating and require login for actions #415

Merged
jmiller merged 1 commits from dev into main 2026-06-02 13:41:15 +00:00
Conversation 0 Commits 1 Files Changed 2
+23 -4
2 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routers/web/web.go
+1 -1
View File
@@ -1620,7 +1620,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
m.Group("/workflows/{workflow_name}", func() {
m.Get("/badge.svg", webAuth.AllowBasic, webAuth.AllowOAuth2, actions.GetWorkflowBadge)
})
}, optSignIn, context.RepoAssignment, repo.MustBeNotEmpty, reqRepoActionsReader, actions.MustEnableActions)
}, reqSignIn, context.RepoAssignment, repo.MustBeNotEmpty, reqRepoActionsReader, actions.MustEnableActions)
// end "/{username}/{reponame}/actions"
m.Group("/{username}/{reponame}/wiki", func() {
services/context/repo.go
+22 -3
View File
@@ -628,10 +628,29 @@ func repoAssignmentPrepareTemplateData(ctx *Context, data *repoAssignmentPrepare
feedVis = repoUpdateCfg.FeedVisibility
}
ctx.Data["FeedVisibility"] = feedVis
// Only "hidden" mode requires login. "no-download" shows page but hides files.
// Only "hidden" mode requires login for the page itself.
ctx.Data["ReleasesRequireLogin"] = licensingEnabled && feedVis == "hidden"
// Hide download attachments for anonymous users in "no-download" mode.
ctx.Data["HideReleaseDownloads"] = licensingEnabled && feedVis == "no-download" && !ctx.IsSigned
// Determine download gating mode.
downloadGating := "none"
if orgCfg != nil && orgCfg.DownloadGating != "" {
downloadGating = orgCfg.DownloadGating
}
if repoUpdateCfg != nil && repoUpdateCfg.DownloadGating != "" {
downloadGating = repoUpdateCfg.DownloadGating
}
ctx.Data["DownloadGating"] = downloadGating
// Hide download links on release page when:
// - licensing enabled AND feed visibility is "no-download" (anonymous only), OR
// - licensing enabled AND download gating is active AND user not signed in
hideDownloads := false
if licensingEnabled && !ctx.IsSigned {
if feedVis == "no-download" || feedVis == "hidden" || downloadGating != "none" {
hideDownloads = true
}
}
ctx.Data["HideReleaseDownloads"] = hideDownloads
ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()