Fix permission check on http push

cmd/hook.go

@@ -185,6 +185,7 @@ Gitea or set your environment appropriately.`, "")
 	userID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
+	actionPerm, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionPerm), 10, 64)
 
 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@@ -194,6 +195,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
+		ActionPerm:                      int(actionPerm),
 	}
 
 	scanner := bufio.NewScanner(os.Stdin)

modules/private/hook.go

@@ -57,6 +57,7 @@ type HookOptions struct {
 	PullRequestID                   int64
 	DeployKeyID                     int64 // if the pusher is a DeployKey, then UserID is the repo's org user.
 	IsWiki                          bool
+	ActionPerm                      int
 }
 
 // SSHLogOption ssh log options

modules/repository/env.go

@@ -27,6 +27,7 @@ const (
 	EnvPRID         = "GITEA_PR_ID"
 	EnvIsInternal   = "GITEA_INTERNAL_PUSH"
 	EnvAppURL       = "GITEA_ROOT_URL"
+	EnvActionPerm   = "GITEA_ACTION_PERM"
 )
 
 // InternalPushingEnvironment returns an os environment to switch off hooks on push

routers/private/hook_pre_receive.go

@@ -466,7 +466,7 @@ func (ctx *preReceiveContext) loadPusherAndPermission() bool {
 
 	if ctx.opts.UserID == user_model.ActionsUserID {
 		ctx.user = user_model.NewActionsUser()
-		ctx.userPerm.AccessMode = perm_model.AccessModeAdmin
+		ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
 		if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
 			log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
 			ctx.JSON(http.StatusInternalServerError, private.Response{

routers/web/repo/http.go

@@ -181,6 +181,14 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			return
 		}
 
+		environ = []string{
+			repo_module.EnvRepoUsername + "=" + username,
+			repo_module.EnvRepoName + "=" + reponame,
+			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
+			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
+			repo_module.EnvAppURL + "=" + setting.AppURL,
+		}
+
 		if repoExist {
 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
@@ -204,11 +212,13 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeRead))
 				} else {
 					if accessMode > perm.AccessModeWrite {
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return
 					}
+					environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, perm.AccessModeWrite))
 				}
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
@@ -229,14 +239,6 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			}
 		}
 
-		environ = []string{
-			repo_module.EnvRepoUsername + "=" + username,
-			repo_module.EnvRepoName + "=" + reponame,
-			repo_module.EnvPusherName + "=" + ctx.Doer.Name,
-			repo_module.EnvPusherID + fmt.Sprintf("=%d", ctx.Doer.ID),
-			repo_module.EnvAppURL + "=" + setting.AppURL,
-		}
-
 		if !ctx.Doer.KeepEmailPrivate {
 			environ = append(environ, repo_module.EnvPusherEmail+"="+ctx.Doer.Email)
 		}