github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Pushing a new cargo release returns 500 if user does not have write access to cargo index repo #11573

New Issue
Open
opened 2025-11-02 09:41:29 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-02 09:41:29 -06:00
Owner
Copy Link

Originally created by @merlleu on GitHub (Aug 31, 2023).

Description

When you have an user with Packages: Read+Write access, he can't push to cargo registry if he does not have permission to the _cargo-index repo, returning a 500 error code.

I think at least we should change the error code for this, not sure if we should allow push for users without the repo write permissions still.

Gitea Version

1.21

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

https://gist.github.com/merlleu/50d26b2fe4dd1a1fb1ba9aa57d29c030

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

It is run from docker on the a587d25261 commit's nightly build

Database

PostgreSQL

Originally created by @merlleu on GitHub (Aug 31, 2023). ### Description When you have an user with Packages: Read+Write access, he can't push to cargo registry if he does not have permission to the _cargo-index repo, returning a 500 error code. I think at least we should change the error code for this, not sure if we should allow push for users without the repo write permissions still. ### Gitea Version 1.21 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist https://gist.github.com/merlleu/50d26b2fe4dd1a1fb1ba9aa57d29c030 ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? It is run from docker on the a587d2526163153a4d992527fe6040d578beaa83 commit's nightly build ### Database PostgreSQL
GiteaMirror added the topic/packagestype/bug labels 2025-11-02 09:41:29 -06:00
GiteaMirror commented 2025-11-02 09:41:29 -06:00
Author
Owner
Copy Link

@lng2020 commented on GitHub (Sep 1, 2023):

I reproduced this issue as well.
Here is the detailed procedure to reproduce.

  1. Assume there are test_org and test_team
  2. Set write access in test_team->settings->packages
  3. remove write access of test_team in _cargo-index.git->settings->collaborators
  4. cargo publish then the error occurs

The credential passed the access control of the package, so cargo starts to use git to upload files. However, the repo denied the files because the credential can't write the repo. So here I come up with two possible solutions.

  1. Check the error type then use a different HTTP error in routers/api/packages/cargo/cargo.go#250
  2. A more elegant way is to sync the package permission with the package repo as mentioned in #20596. It requires more effort but solves all issues of this kind.

I prefer the second solution but it's a little beyond my ability.
What do you think? @KN4CK3R

@lng2020 commented on GitHub (Sep 1, 2023): I reproduced this issue as well. Here is the detailed procedure to reproduce. 1. Assume there are `test_org` and `test_team` 2. Set `write` access in `test_team->settings->packages` 3. remove `write` access of `test_team` in `_cargo-index.git->settings->collaborators` 4. `cargo publish` then the error occurs The credential passed the access control of the `package`, so cargo starts to use `git` to upload files. However, the repo denied the files because the credential can't write the `repo`. So here I come up with two possible solutions. 1. Check the error type then use a different HTTP error in `routers/api/packages/cargo/cargo.go#250` 2. A more elegant way is to sync the `package` permission with the package `repo` as mentioned in #20596. It requires more effort but solves all issues of this kind. I prefer the second solution but it's a little beyond my ability. What do you think? @KN4CK3R
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/packages type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11573
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?