Merge pull request #477 from ywk253100/new-ui-with-sync-image

add auth check as registry does not distinguish 401 and 403
2024-09-20 20:35:32 +00:00 · 2016-07-06 14:01:57 +08:00 · 2016-07-06 14:01:57 +08:00 · a59e9cdd2a
commit a59e9cdd2a
parent be3110634a 2dab2137db
1 changed files with 51 additions and 7 deletions
--- a/api/repository.go
+++ b/api/repository.go
@ -39,8 +39,6 @@ import (

 // RepositoryAPI handles request to /api/repositories /api/repositories/tags /api/repositories/manifests, the parm has to be put
 // in the query string as the web framework can not parse the URL if it contains veriadic sectors.
-// For repostiories, we won't check the session in this API due to search functionality, querying manifest will be contorlled by
-// the security of registry
 type RepositoryAPI struct {
 	BaseAPI
 }
@ -115,6 +113,20 @@ func (ra *RepositoryAPI) Delete() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
 	}

+	projectName := getProjectName(repoName)
+	project, err := dao.GetProjectByName(projectName)
+	if err != nil {
+		log.Errorf("failed to get project %s: %v", projectName, err)
+		ra.CustomAbort(http.StatusInternalServerError, "")
+	}
+
+	if project.Public == 0 {
+		userID := ra.ValidateUser()
+		if !hasProjectAdminRole(userID, project.ProjectID) {
+			ra.CustomAbort(http.StatusForbidden, "")
+		}
+	}
+
 	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
@ -144,10 +156,6 @@ func (ra *RepositoryAPI) Delete() {
 		tags = append(tags, tag)
 	}

-	project := ""
-	if strings.Contains(repoName, "/") {
-		project = repoName[0:strings.LastIndex(repoName, "/")]
-	}
 	user, _, ok := ra.Ctx.Request.BasicAuth()
 	if !ok {
 		user, err = ra.getUsername()
@ -169,7 +177,7 @@ func (ra *RepositoryAPI) Delete() {
 		go TriggerReplicationByRepository(repoName, []string{t}, models.RepOpDelete)

 		go func(tag string) {
-			if err := dao.AccessLog(user, project, repoName, tag, "delete"); err != nil {
+			if err := dao.AccessLog(user, projectName, repoName, tag, "delete"); err != nil {
 				log.Errorf("failed to add access log: %v", err)
 			}
 		}(t)
@ -195,6 +203,20 @@ func (ra *RepositoryAPI) GetTags() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
 	}

+	projectName := getProjectName(repoName)
+	project, err := dao.GetProjectByName(projectName)
+	if err != nil {
+		log.Errorf("failed to get project %s: %v", projectName, err)
+		ra.CustomAbort(http.StatusInternalServerError, "")
+	}
+
+	if project.Public == 0 {
+		userID := ra.ValidateUser()
+		if !checkProjectPermission(userID, project.ProjectID) {
+			ra.CustomAbort(http.StatusForbidden, "")
+		}
+	}
+
 	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
@ -230,6 +252,20 @@ func (ra *RepositoryAPI) GetManifests() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name or tag is nil")
 	}

+	projectName := getProjectName(repoName)
+	project, err := dao.GetProjectByName(projectName)
+	if err != nil {
+		log.Errorf("failed to get project %s: %v", projectName, err)
+		ra.CustomAbort(http.StatusInternalServerError, "")
+	}
+
+	if project.Public == 0 {
+		userID := ra.ValidateUser()
+		if !checkProjectPermission(userID, project.ProjectID) {
+			ra.CustomAbort(http.StatusForbidden, "")
+		}
+	}
+
 	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
@ -362,3 +398,11 @@ func newRepositoryClient(endpoint string, insecure bool, username, password, rep
 	}
 	return client, nil
 }
+
+func getProjectName(repository string) string {
+	project := ""
+	if strings.Contains(repository, "/") {
+		project = repository[0:strings.LastIndex(repository, "/")]
+	}
+	return project
+}