Skip to content

[1.17.0-rc1] Package owned by a private owner can be retrieved without authentication #20093

New issue
New issue
Closed
Closed
[1.17.0-rc1] Package owned by a private owner can be retrieved without authentication#20093
Labels
issue/needs-feedbackFor bugs, we need more details. For features, the feature must be described in more detailtopic/packages
@a1ex4

Description

@a1ex4
a1ex4
opened on Jun 22, 2022

Description

I upload a package using a curl command following the docs with my private account, I retrieve the package direct link using the Web UI. Then using this link with a browser private window I can download the package without any authentication.

Here are the container logs showing a 401 followed by a 200 and successful download:

2022/06/22 21:26:06 [62b388ee] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55060, 401 Unauthorized in 2.2ms @ packages/api.go:31(packages.reqPackageAccess)
2022/06/22 21:26:06 [62b388ee-2] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55062, 200 OK in 59.5ms @ generic/generic.go:34(generic.DownloadPackageFile)

Gitea Version

1.17.0-rc1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker with latest tag

Database

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/needs-feedbackFor bugs, we need more details. For features, the feature must be described in more detailtopic/packages

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions