From 5999349ce7e311cd123bc5874a3ff2b282c7f6f5 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Thu, 27 Apr 2023 18:49:50 -0400
Subject: [PATCH] Fix auth check bug (#24382) (#24387)

Backport #24382 by @lunny

Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324

`getAuthenticatedMeta` has checked them, these code are duplicated one.
And the first invokation has a wrong permission check. `DownloadHandle`
should require read permission but not write.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 services/lfs/server.go                  | 10 ------
 tests/integration/lfs_getobject_test.go | 41 +++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/services/lfs/server.go b/services/lfs/server.go
index 53d72780db..81a6f6a9e7 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) {
 		return
 	}
 
-	repository := getAuthenticatedRepository(ctx, rc, true)
-	if repository == nil {
-		return
-	}
-
 	// Support resume download using Range header
 	var fromByte, toByte int64
 	toByte = meta.Size - 1
@@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) {
 		return
 	}
 
-	repository := getAuthenticatedRepository(ctx, rc, true)
-	if repository == nil {
-		return
-	}
-
 	contentStore := lfs_module.NewContentStore()
 	ok, err := contentStore.Verify(meta.Pointer)
 
diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go
index 7b1b3e109c..ba236d355f 100644
--- a/tests/integration/lfs_getobject_test.go
+++ b/tests/integration/lfs_getobject_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
 	return pointer.Oid
 }
 
+func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
+	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
+	assert.NoError(t, err)
+	oid := storeObjectInRepo(t, repo.ID, content)
+	defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
+
+	token := getUserToken(t, "user2", ts)
+
+	// Request OID
+	req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
+	req.Header.Set("Accept-Encoding", "gzip")
+	req.SetBasicAuth("user2", token)
+	if extraHeader != nil {
+		for key, values := range *extraHeader {
+			for _, value := range values {
+				req.Header.Add(key, value)
+			}
+		}
+	}
+
+	resp := MakeRequest(t, req, expectedStatus)
+
+	return resp
+}
+
 func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
 	assert.NoError(t, err)
@@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) {
 	checkResponseTestContentEncoding(t, &content, resp, false)
 }
 
+func TestGetLFSSmallToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	content := []byte("A very small file\n")
+
+	resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
+	checkResponseTestContentEncoding(t, &content, resp, false)
+}
+
+func TestGetLFSSmallTokenFail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	content := []byte("A very small file\n")
+
+	storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
+}
+
 func TestGetLFSLarge(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := make([]byte, web.GzipMinSize*10)