github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-11 17:46:29 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Unable to Push to PRs with "Allow Edits from Maintainers" and LFS usage #14837

New Issue
Open
opened 2025-11-02 11:24:04 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-02 11:24:04 -06:00
Owner
Copy Link

Originally created by @bartvdbraak on GitHub (Aug 6, 2025).

Description

Some of our developers are encountering permission issues when attempting to push changes to pull request branches, even when the "Allow edits from maintainers" option is enabled on the PR. This seems to occur specifically when Git LFS is involved.

Example 1

A maintainer attempted to push to a contributor's PR branch to resolve a merge conflict:

$ git push git@git.blender.org:Testifya/blender Testifya-ios:ios
Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U
Remote "git@git.blender.org:Testifya/blender" does not support the Git LFS locking API. Consider disabling it with:
  $ git config lfs.https://git.blender.org/Testifya/blender.git/info/lfs.locksverify false
batch request: Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U
error:
error: User: 26576:Brainzman with Key: 1584:<key> is not authorized to write to Testifya/blender.
error:: exit status 1

Example 2

Another developer encountered a similar issue:

$ git push git@git.blender.org:mano-wii/blender.git fix-141741:fix_141741
Remote "git@git.blender.org:mano-wii/blender.git" does not support the Git LFS locking API. Consider disabling it with:
  $ git config lfs.https://git.blender.org/mano-wii/blender.git/info/lfs.locksverify false
Uploading LFS objects:   0% (0/24), 0 B | 0 B/s, done.
batch request: error:
error: User: 13447:pragma37 with Key: 664:miguel@Miguel-Desktop is not authorized to write to mano-wii/blender.
error:: exit status 1
error: failed to push some refs to 'git.blender.org:mano-wii/blender.git'
  • Using git push --no-verify (to bypass the LFS hook) seems to allow the push to go through, suggesting this is specifically related to Git LFS handling, but this is bad to use when you are trying to update LFS objects.
  • It seems that Gitea’s "Allow edits from maintainers" functionality is not correctly handling permissions for pushes that involve LFS files.
  • This may be a bug or an unimplemented edge case in Gitea's permission checks for LFS when pushing to forks.

Gitea Version

1.24.3 built with GNU Make 4.4.1, go1.24.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.49.1

Operating System

Ubuntu 24.04.2

How are you running Gitea?

Non-root docker image based on fork at https://github.com/blender/gitea

Database

PostgreSQL

Originally created by @bartvdbraak on GitHub (Aug 6, 2025). ### Description Some of our developers are encountering permission issues when attempting to push changes to pull request branches, even when the **"Allow edits from maintainers"** option is enabled on the PR. This seems to occur specifically when Git LFS is involved. ### Example 1 A maintainer attempted to push to a contributor's PR branch to resolve a merge conflict: ``` $ git push git@git.blender.org:Testifya/blender Testifya-ios:ios Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U Remote "git@git.blender.org:Testifya/blender" does not support the Git LFS locking API. Consider disabling it with: $ git config lfs.https://git.blender.org/Testifya/blender.git/info/lfs.locksverify false batch request: Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U error: error: User: 26576:Brainzman with Key: 1584:<key> is not authorized to write to Testifya/blender. error:: exit status 1 ``` ### Example 2 Another developer encountered a similar issue: ``` $ git push git@git.blender.org:mano-wii/blender.git fix-141741:fix_141741 Remote "git@git.blender.org:mano-wii/blender.git" does not support the Git LFS locking API. Consider disabling it with: $ git config lfs.https://git.blender.org/mano-wii/blender.git/info/lfs.locksverify false Uploading LFS objects: 0% (0/24), 0 B | 0 B/s, done. batch request: error: error: User: 13447:pragma37 with Key: 664:miguel@Miguel-Desktop is not authorized to write to mano-wii/blender. error:: exit status 1 error: failed to push some refs to 'git.blender.org:mano-wii/blender.git' ``` * Using `git push --no-verify` (to bypass the LFS hook) seems to allow the push to go through, suggesting this is specifically related to Git LFS handling, but this is bad to use when you are trying to update LFS objects. * It seems that Gitea’s "Allow edits from maintainers" functionality is not correctly handling permissions for pushes that involve LFS files. * This may be a bug or an unimplemented edge case in Gitea's permission checks for LFS when pushing to forks. ### Gitea Version 1.24.3 built with GNU Make 4.4.1, go1.24.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.49.1 ### Operating System Ubuntu 24.04.2 ### How are you running Gitea? Non-root docker image based on fork at https://github.com/blender/gitea ### Database PostgreSQL
GiteaMirror added the type/bug label 2025-11-02 11:24:04 -06:00
GiteaMirror commented 2025-11-02 11:24:05 -06:00
Author
Owner
Copy Link

@brechtvl commented on GitHub (Aug 8, 2025):

I didn't have time to implement a solution, but from a quick investigation I found:

  • There is some missing logic in authenticate in services/lfs/server.go for this, where it should also check if there exists an open pull request with allow edits from maintainers, and the user is a maintainer.
  • A CanMaintainerWriteToLFS could be added in models/issues/pull_list.go, similar to the CanMaintainerWriteToBranch that is there.
@brechtvl commented on GitHub (Aug 8, 2025): I didn't have time to implement a solution, but from a quick investigation I found: * There is some missing logic in `authenticate` in `services/lfs/server.go` for this, where it should also check if there exists an open pull request with allow edits from maintainers, and the user is a maintainer. * A `CanMaintainerWriteToLFS` could be added in `models/issues/pull_list.go`, similar to the `CanMaintainerWriteToBranch` that is there.
GiteaMirror commented 2025-11-02 11:24:05 -06:00
Author
Owner
Copy Link

@bartvdbraak commented on GitHub (Aug 8, 2025):

Additionally, one developer mentioned:

Hey! I just managed to push.
I believe the problem was that, while my commits didn't contain LFS changes, the commits from Jacques did.
Those commits were already in his repo but not in mine.
After pushing a copy of the PR branch to my own repo I was able to push to his PR.

@bartvdbraak commented on GitHub (Aug 8, 2025): Additionally, one developer mentioned: > Hey! I just managed to push. > I believe the problem was that, while my commits didn't contain LFS changes, the commits from Jacques did. > Those commits were already in his repo but not in mine. > After pushing a copy of the PR branch to my own repo I was able to push to his PR.
GiteaMirror commented 2025-11-02 11:24:05 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Aug 8, 2025):

It seems it's https://github.com/go-gitea/gitea/blob/main/services/lfs/server.go#L540 . The permission check should also invoke CanMaintainerWriteToBranch.

@lunny commented on GitHub (Aug 8, 2025): It seems it's https://github.com/go-gitea/gitea/blob/main/services/lfs/server.go#L540 . The permission check should also invoke `CanMaintainerWriteToBranch`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#14837
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?