gitea

Mirrors/gitea

Fork 0

mirror of https://github.com/go-gitea/gitea.git synced 2026-06-07 08:55:14 +02:00

Commit Graph

Author	SHA1	Message	Date
Lunny Xiao	61b1a39efe	chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873 )	2026-05-26 15:49:31 -07:00
Lunny Xiao	f9b7b65371	fix(security): enforce wiki git writes and LFS token access at request time (#37695 ) This PR fixes two permission-checking gaps in Git and LFS request handling. ## What it changes - keep wiki Git HTTP pushes on the normal write-permission path, even when proc-receive support is enabled - revalidate LFS bearer token requests against the current user state and current repository permissions before allowing access - add regression coverage for unauthorized wiki HTTP pushes - add LFS tests for blocked users, revoked repository access, read-only upload attempts, and valid write access ## Why - wiki repositories should not inherit the relaxed refs/for handling used for normal code repositories - LFS authorization tokens should not remain usable after a user is disabled or loses repository access Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-05-15 08:12:59 +00:00
wxiaoguang	b2ee5be52e	Refactor legacy code (#35708 ) And by the way, remove the legacy TODO, split large functions into small ones, and add more tests	2025-10-20 11:43:08 -07:00

Author

SHA1

Message

Date

Lunny Xiao

61b1a39efe

chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873 )

2026-05-26 15:49:31 -07:00

Lunny Xiao

f9b7b65371

fix(security): enforce wiki git writes and LFS token access at request time (#37695 )

This PR fixes two permission-checking gaps in Git and LFS request
handling.

## What it changes

- keep wiki Git HTTP pushes on the normal write-permission path, even
when proc-receive support is enabled
- revalidate LFS bearer token requests against the current user state
and current repository permissions before allowing access
- add regression coverage for unauthorized wiki HTTP pushes
- add LFS tests for blocked users, revoked repository access, read-only
upload attempts, and valid write access

## Why

- wiki repositories should not inherit the relaxed refs/for handling
used for normal code repositories
- LFS authorization tokens should not remain usable after a user is
disabled or loses repository access

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

2026-05-15 08:12:59 +00:00

wxiaoguang

b2ee5be52e

Refactor legacy code (#35708 )

And by the way, remove the legacy TODO, split large functions into small
ones, and add more tests

2025-10-20 11:43:08 -07:00

3 Commits