Check permissions on repo lookup (#2357)

There was no permission check when looking up repos so you were able to get basic repo information even if you're not allowed to. This uses `session.MustPull` (and set repo/perms before) to fix this.
2026-03-15 17:13:46 +01:00 · 2023-08-30 16:35:34 +02:00
parent 91192a900a
commit e847cbadfa
3 changed files with 9 additions and 28 deletions
--- a/server/api/repo.go
+++ b/server/api/repo.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
@@ -277,21 +276,7 @@ func ChownRepo(c *gin.Context) {
 //	@Param		Authorization	header	string	true	"Insert your personal access token"	default(Bearer <personal access token>)
 //	@Param		repo_full_name	path	string	true	"the repository full-name / slug"
 func LookupRepo(c *gin.Context) {
-	_store := store.FromContext(c)
-	repoFullName := strings.TrimLeft(c.Param("repo_full_name"), "/")
-
-	repo, err := _store.GetRepoName(repoFullName)
-	if err != nil {
-		if errors.Is(err, types.RecordNotExist) {
-			c.AbortWithStatus(http.StatusNotFound)
-			return
-		}
-
-		_ = c.AbortWithError(http.StatusInternalServerError, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, repo)
+	c.JSON(http.StatusOK, session.Repo(c))
 }

 // GetRepo