go-gitea · lafriks · Oct 24, 2022 · Oct 24, 2022 · Oct 24, 2022 · Oct 24, 2022
diff --git a/modules/context/package.go b/modules/context/package.go
@@ -91,6 +91,10 @@ func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
 return accessMode, nil
 }
 
+if ctx.Doer != nil && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) {
+return accessMode, nil
+}
+
 if ctx.Package.Owner.IsOrganization() {
 org := organization.OrgFromUser(ctx.Package.Owner)
 

diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
@@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 authGroup := auth.NewGroup(authMethods...)
 r.Use(func(ctx *context.Context) {
 ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+ctx.IsSigned = ctx.Doer != nil
 })
 
 r.Group("/{username}", func() {
@@ -316,6 +317,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
 authGroup := auth.NewGroup(authMethods...)
 r.Use(func(ctx *context.Context) {
 ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+ctx.IsSigned = ctx.Doer != nil
 })
 
 r.Get("", container.ReqContainerAccess, container.DetermineSupport)

diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
@@ -25,6 +25,7 @@ import (
 
 func TestPackageAPI(t *testing.T) {
 defer tests.PrepareTestEnv(t)()
+
 user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
 session := loginUser(t, user.Name)
 token := getTokenForLoggedInUser(t, session)
@@ -144,6 +145,27 @@ func TestPackageAPI(t *testing.T) {
 })
 }
 
+func TestPackageAccess(t *testing.T) {
+defer tests.PrepareTestEnv(t)()
+
+admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
+
+uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
+url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
+req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
+AddBasicAuthHeader(req, doer.Name)
+MakeRequest(t, req, expectedStatus)
+}
+
+uploadPackage(user, inactive, http.StatusUnauthorized)
+uploadPackage(inactive, inactive, http.StatusUnauthorized)
+uploadPackage(inactive, user, http.StatusUnauthorized)
+uploadPackage(admin, inactive, http.StatusCreated)
+uploadPackage(admin, user, http.StatusCreated)
+}
+
 func TestPackageCleanup(t *testing.T) {
 defer tests.PrepareTestEnv(t)()