Wrong visibility interaction when RequireLogin = true

thomiceli / opengist

Self-hosted pastebin powered by Git, open-source alternative to Github Gist.

https://demo.opengist.io

GNU Affero General Public License v3.0

1.52k stars 76 forks source link

Wrong visibility interaction when RequireLogin = true #280

Closed thomiceli closed 1 month ago

thomiceli commented 1 month ago

When RequireLogin is enabled in the admin panel, and when a user try to pull/clone a gist, the server obviously asks a user/password or check for an existing ssh key. But the access is granted only when the credentials passed match the owner of the gist.

thomiceli commented 1 month ago

https://github.com/thomiceli/opengist/blob/2fd053a077e0502956b188dc3e3e4a3828b8b103/internal/web/git_http.go#L102 https://github.com/thomiceli/opengist/blob/2fd053a077e0502956b188dc3e3e4a3828b8b103/internal/ssh/git_ssh.go#L55

thomiceli commented 1 month ago

Currently it behaves like a pull/clone and a push are the same thing when RequireLogin is enabled; where it should not be the case: a login is required but if the user exists, it should pull/clone where as only the gist owner should push