Wrong visibility interaction when RequireLogin = true #280

thomiceli · 2024-05-12T02:54:00Z

When RequireLogin is enabled in the admin panel, and when a user try to pull/clone a gist, the server obviously asks a user/password or check for an existing ssh key.
But the access is granted only when the credentials passed match the owner of the gist.

thomiceli · 2024-05-12T02:55:09Z

opengist/internal/web/git_http.go

Line 102 in 2fd053a

 if ok, err := utils.Argon2id.Verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername { 

opengist/internal/ssh/git_ssh.go

Line 55 in 2fd053a

pubKey, err := db.SSHKeyExistsForUser(key, gist.UserID)

thomiceli · 2024-05-12T02:57:33Z

Currently it behaves like a pull/clone and a push are the same thing when RequireLogin is enabled; where it should not be the case: a login is required but if the user exists, it should pull/clone where as only the gist owner should push

thomiceli added the bug Something isn't working label May 12, 2024

thomiceli mentioned this issue May 12, 2024

Add a setting to allow anonymous access to individual gists while still RequireLogin everywhere else #229

Merged

thomiceli mentioned this issue May 27, 2024

Fix perms for http/ssh clone #288

Merged

thomiceli closed this as completed in #288 May 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong visibility interaction when RequireLogin = true #280

Wrong visibility interaction when RequireLogin = true #280

thomiceli commented May 12, 2024

thomiceli commented May 12, 2024

thomiceli commented May 12, 2024

Wrong visibility interaction when RequireLogin = true #280

Wrong visibility interaction when RequireLogin = true #280

Comments

thomiceli commented May 12, 2024

thomiceli commented May 12, 2024

thomiceli commented May 12, 2024