Fix perms for http/ssh clone (#288)

2025-07-10 18:01:53 +02:00 · 2024-05-28 01:30:08 +02:00
parent 77d87aeecd
commit 38892d8a4a
12 changed files with 225 additions and 22 deletions
--- a/internal/ssh/git_ssh.go
+++ b/internal/ssh/git_ssh.go
@ -50,11 +50,18 @@ func runGitCommand(ch ssh.Channel, gitCmd string, key string, ip string) error {
 	// - gist is not found (obfuscation)
 	// - admin setting to require login is set to true
 	if verb == "receive-pack" ||
-		gist.Private == 2 ||
+		gist.Private == db.PrivateVisibility ||
 		gist.ID == 0 ||
 		!allowUnauthenticated {

-		pubKey, err := db.SSHKeyExistsForUser(key, gist.UserID)
+		var userToCheckPermissions *db.User
+		if gist.Private != db.PrivateVisibility && verb == "upload-pack" {
+			userToCheckPermissions, _ = db.GetUserFromSSHKey(key)
+		} else {
+			userToCheckPermissions = &gist.User
+		}
+
+		pubKey, err := db.SSHKeyExistsForUser(key, userToCheckPermissions.ID)
 		if err != nil {
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				log.Warn().Msg("Invalid SSH authentication attempt from " + ip)
--- a/internal/ssh/run.go
+++ b/internal/ssh/run.go
@ -24,8 +24,8 @@ func Start() {
 	sshConfig := &ssh.ServerConfig{
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			strKey := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))
-			_, err := db.SSHKeyDoesExists(strKey)
-			if err != nil {
+			exists, err := db.SSHKeyDoesExists(strKey)
+			if !exists {
 				if !errors.Is(err, gorm.ErrRecordNotFound) {
 					return nil, err
 				}