fix

Author: yp05327

modules/context/package.go

@@ -97,7 +97,7 @@ func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
 		org := organization.OrgFromUser(ctx.Package.Owner)
 
 		// 1. If user is logined
-		if ctx.Doer != nil {
+		if ctx.Doer != nil && !ctx.Doer.IsGhost() {
 			// check every team permissions
 			teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID)
 			if err != nil {

routers/api/packages/api.go

@@ -44,35 +44,39 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 	}
 }
 
-// CommonRoutes provide endpoints for most package managers (except containers - see below)
-// These are mounted on `/api/packages` (not `/api/v1/packages`)
-func CommonRoutes(ctx gocontext.Context) *web.Route {
-	r := web.NewRoute()
-
-	r.Use(context.PackageContexter(ctx))
-
-	authMethods := []auth.Method{
-		&auth.OAuth2{},
-		&auth.Basic{},
-		&nuget.Auth{},
-		&conan.Auth{},
-		&chef.Auth{},
-	}
+func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	if setting.Service.EnableReverseProxyAuth {
 		authMethods = append(authMethods, &auth.ReverseProxy{})
 	}
-
 	authGroup := auth.NewGroup(authMethods...)
+
 	r.Use(func(ctx *context.Context) {
 		var err error
 		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
 		if err != nil {
-			log.Error("Verify: %v", err)
+			log.Error("Failed to verify user: %v", err)
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
 		}
+		// TODO: check ActionUser's access permission
 		ctx.IsSigned = ctx.Doer != nil
 	})
+}
+
+// CommonRoutes provide endpoints for most package managers (except containers - see below)
+// These are mounted on `/api/packages` (not `/api/v1/packages`)
+func CommonRoutes(ctx gocontext.Context) *web.Route {
+	r := web.NewRoute()
+
+	r.Use(context.PackageContexter(ctx))
+
+	verifyAuth(r, []auth.Method{
+		&auth.OAuth2{},
+		&auth.Basic{},
+		&nuget.Auth{},
+		&conan.Auth{},
+		&chef.Auth{},
+	})
 
 	r.Group("/{username}", func() {
 		r.Group("/cargo", func() {
@@ -437,24 +441,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
 
 	r.Use(context.PackageContexter(ctx))
 
-	authMethods := []auth.Method{
+	verifyAuth(r, []auth.Method{
 		&auth.Basic{},
 		&container.Auth{},
-	}
-	if setting.Service.EnableReverseProxyAuth {
-		authMethods = append(authMethods, &auth.ReverseProxy{})
-	}
-
-	authGroup := auth.NewGroup(authMethods...)
-	r.Use(func(ctx *context.Context) {
-		var err error
-		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
-		if err != nil {
-			log.Error("Failed to verify user: %v", err)
-			ctx.Error(http.StatusUnauthorized, "Verify")
-			return
-		}
-		ctx.IsSigned = ctx.Doer != nil
 	})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)

routers/api/packages/container/container.go

@@ -14,7 +14,6 @@ import (
 	"strconv"
 	"strings"
 
-	actions_model "code.gitea.io/gitea/models/actions"
 	packages_model "code.gitea.io/gitea/models/packages"
 	container_model "code.gitea.io/gitea/models/packages/container"
 	user_model "code.gitea.io/gitea/models/user"
@@ -144,25 +143,6 @@ func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	if u == nil {
 		u = user_model.NewGhostUser()
-	} else if u.IsActions() {
-		task, err := actions_model.GetTaskByID(ctx, ctx.Data["ActionsTaskID"].(int64))
-		if err != nil {
-			apiError(ctx, http.StatusInternalServerError, err)
-			return
-		}
-		if err := task.LoadJob(ctx); err != nil {
-			apiError(ctx, http.StatusInternalServerError, err)
-			return
-		}
-		if err := task.Job.LoadRun(ctx); err != nil {
-			apiError(ctx, http.StatusInternalServerError, err)
-			return
-		}
-		if err := task.Job.Run.LoadTriggerUser(ctx); err != nil {
-			apiError(ctx, http.StatusInternalServerError, err)
-			return
-		}
-		u = task.Job.Run.TriggerUser
 	}
 
 	token, err := packages_service.CreateAuthorizationToken(u)