github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-14 11:56:41 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Public repositories of non-public organizations can be cloned by anonymous user #5467

New Issue
Closed
opened 2025-11-02 06:25:44 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-02 06:25:44 -06:00
Owner
Copy Link

Originally created by @mschoettle on GitHub (May 28, 2020).

  • Gitea version (or commit ref): 1.11.5 & 1.13.0+dev-67-g24be06d7a
  • Git version:
  • Operating system:
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

It is possible to clone a public repository of a private organization ("visible only to organization members") and a limited organization ("visible to logged in users only") as an anonymous user.

To reproduce this, I did the following on https://try.gitea.io:

  1. create private org (private-org) with a private and public repo (private-repo and public-repo)
  2. create limited org (limited-org) with a private and public repo (same names as above)
  3. try to clone each repo as an anonymous user

Result:

$ git clone https://try.gitea.io/private-org/private-repo.git
Cloning into 'private-repo'...
Username for 'https://try.gitea.io':

$ git clone https://try.gitea.io/private-org/public-repo.git
Cloning into 'public-repo'...
...

Since it works as an anonymous user I could not test whether this is also the case for a user who is not a member of the organization.

$ git clone https://try.gitea.io/limited-org/private-repo.git
Cloning into 'private-repo'...
Username for 'https://try.gitea.io':

$ git clone https://try.gitea.io/limited-org/public-repo.git limited-public-repo
Cloning into 'limited-public-repo'...
...
Originally created by @mschoettle on GitHub (May 28, 2020). - Gitea version (or commit ref): 1.11.5 & 1.13.0+dev-67-g24be06d7a - Git version: - Operating system: - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - [ ] Not relevant - Log gist: ## Description It is possible to clone a public repository of a private organization ("visible only to organization members") and a limited organization ("visible to logged in users only") as an anonymous user. To reproduce this, I did the following on https://try.gitea.io: 1. create private org (`private-org`) with a private and public repo (`private-repo` and `public-repo`) 1. create limited org (`limited-org`) with a private and public repo (same names as above) 1. try to clone each repo as an anonymous user **Result:** ``` $ git clone https://try.gitea.io/private-org/private-repo.git Cloning into 'private-repo'... Username for 'https://try.gitea.io': ``` ``` $ git clone https://try.gitea.io/private-org/public-repo.git Cloning into 'public-repo'... ... ``` Since it works as an anonymous user I could not test whether this is also the case for a user who is not a member of the organization. ``` $ git clone https://try.gitea.io/limited-org/private-repo.git Cloning into 'private-repo'... Username for 'https://try.gitea.io': ``` ``` $ git clone https://try.gitea.io/limited-org/public-repo.git limited-public-repo Cloning into 'limited-public-repo'... ... ```
GiteaMirror added the type/bug label 2025-11-02 06:25:44 -06:00
GiteaMirror commented 2025-11-02 06:25:45 -06:00
Author
Owner
Copy Link

@CirnoT commented on GitHub (May 28, 2020):

Happens only when RequireSignInView is false so should affect only anonymous users.

@CirnoT commented on GitHub (May 28, 2020): Happens only when `RequireSignInView` is false so should affect only anonymous users.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#5467
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?