github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 12:46:42 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

[1.17.0-rc1] Package owned by a private owner can be retrieved without authentication #9114

New Issue
Closed
opened 2025-11-02 08:29:44 -06:00 by GiteaMirror · 17 comments
GiteaMirror commented 2025-11-02 08:29:44 -06:00
Owner
Copy Link

Originally created by @a1ex4 on GitHub (Jun 22, 2022).

Description

I upload a package using a curl command following the docs with my private account, I retrieve the package direct link using the Web UI. Then using this link with a browser private window I can download the package without any authentication.

Here are the container logs showing a 401 followed by a 200 and successful download:

2022/06/22 21:26:06 [62b388ee] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55060, 401 Unauthorized in 2.2ms @ packages/api.go:31(packages.reqPackageAccess)
2022/06/22 21:26:06 [62b388ee-2] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55062, 200 OK in 59.5ms @ generic/generic.go:34(generic.DownloadPackageFile)

Gitea Version

1.17.0-rc1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker with latest tag

Database

No response

Originally created by @a1ex4 on GitHub (Jun 22, 2022). ### Description I upload a package using a curl command following the [docs](https://docs.gitea.io/en-us/packages/generic/#publish-a-package) with my private account, I retrieve the package direct link using the Web UI. Then using this link with a browser private window I can download the package without any authentication. Here are the container logs showing a 401 followed by a 200 and successful download: ``` 2022/06/22 21:26:06 [62b388ee] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55060, 401 Unauthorized in 2.2ms @ packages/api.go:31(packages.reqPackageAccess) 2022/06/22 21:26:06 [62b388ee-2] router: completed GET /api/packages/owner/generic/package/version/package.bin for 172.18.0.23:55062, 200 OK in 59.5ms @ generic/generic.go:34(generic.DownloadPackageFile) ``` ### Gitea Version 1.17.0-rc1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker with latest tag ### Database _No response_
GiteaMirror added the topic/packagesissue/needs-feedback labels 2025-11-02 08:29:45 -06:00
GiteaMirror commented 2025-11-02 08:29:45 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Jun 23, 2022):

Tested again and works as intended.

Your browser/client has saved credentials it uses for the second request. Otherwise there would be no second request.

// public profile
[62b43734] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 200 OK in 15.5ms @ generic/generic.go:34(generic.DownloadPackageFile)
// private profile
[62b43742] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 401 Unauthorized in 0.4ms @ packages/api.go:31(packages.reqPackageAccess)
[62b43745] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 401 Unauthorized in 0.4ms @ packages/api.go:31(packages.reqPackageAccess)
@KN4CK3R commented on GitHub (Jun 23, 2022): Tested again and works as intended. Your browser/client has saved credentials it uses for the second request. Otherwise there would be no second request. ``` // public profile [62b43734] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 200 OK in 15.5ms @ generic/generic.go:34(generic.DownloadPackageFile) // private profile [62b43742] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 401 Unauthorized in 0.4ms @ packages/api.go:31(packages.reqPackageAccess) [62b43745] router: completed GET /api/packages/KN4CK3R/generic/test/0.1.0/test.tgz for 172.17.0.1:36910, 401 Unauthorized in 0.4ms @ packages/api.go:31(packages.reqPackageAccess) ```
GiteaMirror commented 2025-11-02 08:29:45 -06:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Aug 1, 2022):

I was able to docker pull a docker image belonging to a private repository without authenticating. Also the package shows up under the "Packages" section of the organization. Is this intended behaviour?

Edit: maybe related to https://github.com/go-gitea/gitea/issues/19583

@kolaente commented on GitHub (Aug 1, 2022): I was able to `docker pull` a docker image belonging to a private repository without authenticating. Also the package shows up under the "Packages" section of the organization. Is this intended behaviour? Edit: maybe related to https://github.com/go-gitea/gitea/issues/19583
GiteaMirror commented 2025-11-02 08:29:46 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Aug 1, 2022):

If you have read access to the owner you can read the packages. The repository is irrelevant for the access check.

@KN4CK3R commented on GitHub (Aug 1, 2022): If you have read access to the owner you can read the packages. The repository is irrelevant for the access check.
GiteaMirror commented 2025-11-02 08:29:46 -06:00
Author
Owner
Copy Link

@davidhiendl commented on GitHub (Sep 23, 2022):

I can confirm this issue still exists. I just build and pushed a docker image to a private repository and then was able to pull the package from a 2nd host without any logins.

@davidhiendl commented on GitHub (Sep 23, 2022): I can confirm this issue still exists. I just build and pushed a docker image to a private repository and then was able to pull the package from a 2nd host without any logins.
GiteaMirror commented 2025-11-02 08:29:46 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Sep 23, 2022):

Still works for me. User kn4ck3r is private in the example:

$> docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
213ec9aee27d: Pull complete
Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest

$> docker tag alpine:latest host.docker.internal:3000/kn4ck3r/alpine:latest

$> docker push host.docker.internal:3000/kn4ck3r/alpine:latest
The push refers to repository [host.docker.internal:3000/kn4ck3r/alpine]
994393dc58e7: Preparing
unauthorized: authentication required

$> docker login host.docker.internal:3000
Username: KN4CK3R
Password:
Login Succeeded

$> docker push host.docker.internal:3000/kn4ck3r/alpine:latest
The push refers to repository [host.docker.internal:3000/kn4ck3r/alpine]
994393dc58e7: Pushed
latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528

$> docker image rm alpine:latest
Untagged: alpine:latest
Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad

$> docker image rm host.docker.internal:3000/kn4ck3r/alpine:latest
Untagged: host.docker.internal:3000/kn4ck3r/alpine:latest
Untagged: host.docker.internal:3000/kn4ck3r/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7

$> docker logout host.docker.internal:3000
Removing login credentials for host.docker.internal:3000

$> docker pull host.docker.internal:3000/kn4ck3r/alpine:latest
Error response from daemon: unauthorized: authentication required

$> docker login host.docker.internal:3000
Username: KN4CK3R
Password:
Login Succeeded

$> docker pull host.docker.internal:3000/kn4ck3r/alpine:latest
latest: Pulling from kn4ck3r/alpine
213ec9aee27d: Pull complete
Digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
Status: Downloaded newer image for host.docker.internal:3000/kn4ck3r/alpine:latest
host.docker.internal:3000/kn4ck3r/alpine:latest
@KN4CK3R commented on GitHub (Sep 23, 2022): Still works for me. User `kn4ck3r` is private in the example: ``` $> docker pull alpine Using default tag: latest latest: Pulling from library/alpine 213ec9aee27d: Pull complete Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad Status: Downloaded newer image for alpine:latest docker.io/library/alpine:latest $> docker tag alpine:latest host.docker.internal:3000/kn4ck3r/alpine:latest $> docker push host.docker.internal:3000/kn4ck3r/alpine:latest The push refers to repository [host.docker.internal:3000/kn4ck3r/alpine] 994393dc58e7: Preparing unauthorized: authentication required $> docker login host.docker.internal:3000 Username: KN4CK3R Password: Login Succeeded $> docker push host.docker.internal:3000/kn4ck3r/alpine:latest The push refers to repository [host.docker.internal:3000/kn4ck3r/alpine] 994393dc58e7: Pushed latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528 $> docker image rm alpine:latest Untagged: alpine:latest Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad $> docker image rm host.docker.internal:3000/kn4ck3r/alpine:latest Untagged: host.docker.internal:3000/kn4ck3r/alpine:latest Untagged: host.docker.internal:3000/kn4ck3r/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5 Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 $> docker logout host.docker.internal:3000 Removing login credentials for host.docker.internal:3000 $> docker pull host.docker.internal:3000/kn4ck3r/alpine:latest Error response from daemon: unauthorized: authentication required $> docker login host.docker.internal:3000 Username: KN4CK3R Password: Login Succeeded $> docker pull host.docker.internal:3000/kn4ck3r/alpine:latest latest: Pulling from kn4ck3r/alpine 213ec9aee27d: Pull complete Digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 Status: Downloaded newer image for host.docker.internal:3000/kn4ck3r/alpine:latest host.docker.internal:3000/kn4ck3r/alpine:latest ```
GiteaMirror commented 2025-11-02 08:29:46 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Oct 26, 2022):

Hello, this issue has been inactive for more than 2 weeks. Feel free to re-open with a reproducible setup (eg: docker compose, detailed operation commands, like above) if there is still a problem.

@wxiaoguang commented on GitHub (Oct 26, 2022): Hello, this issue has been inactive for more than 2 weeks. Feel free to re-open with a reproducible setup (eg: docker compose, detailed operation commands, like above) if there is still a problem.
GiteaMirror commented 2025-11-02 08:29:47 -06:00
Author
Owner
Copy Link

@sandstormkeshav commented on GitHub (Oct 29, 2022):

I am also able to pull packages that are in a private repo without any authentication.

@sandstormkeshav commented on GitHub (Oct 29, 2022): I am also able to pull packages that are in a private repo without any authentication.
GiteaMirror commented 2025-11-02 08:29:47 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Oct 29, 2022):

Can you provide a reproducible setup (eg: docker compose, detailed operation commands, like above)?

@wxiaoguang commented on GitHub (Oct 29, 2022): Can you provide a reproducible setup (eg: docker compose, detailed operation commands, like above)?
GiteaMirror commented 2025-11-02 08:29:48 -06:00
Author
Owner
Copy Link

@sandstormkeshav commented on GitHub (Oct 29, 2022):

Can you provide a reproducible setup (eg: docker compose, detailed operation commands, like above)?

Here is an example with me running the same commands as above.

root@drone:~# docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
213ec9aee27d: Pull complete 
Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
root@drone:~# docker tag alpine:latest git.mydomain.com/sandstormkeshav/alpine:latest
root@drone:~# docker push git.mydomain.com/sandstormkeshav/alpine:latest
The push refers to repository [git.mydomain.com/sandstormkeshav/alpine]
994393dc58e7: Preparing 
unauthorized: authentication required
root@drone:~# docker login git.mydomain.com
Username: sandstormkeshav
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@drone:~# docker push git.mydomain.com/sandstormkeshav/alpine:latest
The push refers to repository [git.mydomain.com/sandstormkeshav/alpine]
994393dc58e7: Pushed 
latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528
root@drone:~# docker image rm alpine:latest 
Untagged: alpine:latest
Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
root@drone:~# docker image rm git.mydomain.com/sandstormkeshav/alpine:latest 
Untagged: git.mydomain.com/sandstormkeshav/alpine:latest
Untagged: git.mydomain.com/sandstormkeshav/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7
root@drone:~# docker logout git.mydomain.com
Removing login credentials for git.mydomain.com
root@drone:~# docker pull git.mydomain.com/sandstormkeshav/alpine:latest
latest: Pulling from sandstormkeshav/alpine
213ec9aee27d: Pull complete 
Digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
Status: Downloaded newer image for git.mydomain.com/sandstormkeshav/alpine:latest
git.mydomain.com/sandstormkeshav/alpine:latest

My docker run is as follows:
I do have a reverse proxy in the middle to add https but this is not a caching proxy.

docker run
  -d
  --name='Gitea'
  --net='bridge'
  -e TZ="America/Los_Angeles"
  -p '9378:3000/tcp'
  -p '9322:22/tcp'
  -v '/mnt/data/gitea':'/data':'rw' 'gitea/gitea:1'
@sandstormkeshav commented on GitHub (Oct 29, 2022): > Can you provide a reproducible setup (eg: docker compose, detailed operation commands, like above)? Here is an example with me running the same commands as above. ``` root@drone:~# docker pull alpine Using default tag: latest latest: Pulling from library/alpine 213ec9aee27d: Pull complete Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad Status: Downloaded newer image for alpine:latest docker.io/library/alpine:latest root@drone:~# docker tag alpine:latest git.mydomain.com/sandstormkeshav/alpine:latest root@drone:~# docker push git.mydomain.com/sandstormkeshav/alpine:latest The push refers to repository [git.mydomain.com/sandstormkeshav/alpine] 994393dc58e7: Preparing unauthorized: authentication required root@drone:~# docker login git.mydomain.com Username: sandstormkeshav Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded root@drone:~# docker push git.mydomain.com/sandstormkeshav/alpine:latest The push refers to repository [git.mydomain.com/sandstormkeshav/alpine] 994393dc58e7: Pushed latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528 root@drone:~# docker image rm alpine:latest Untagged: alpine:latest Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad root@drone:~# docker image rm git.mydomain.com/sandstormkeshav/alpine:latest Untagged: git.mydomain.com/sandstormkeshav/alpine:latest Untagged: git.mydomain.com/sandstormkeshav/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5 Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 root@drone:~# docker logout git.mydomain.com Removing login credentials for git.mydomain.com root@drone:~# docker pull git.mydomain.com/sandstormkeshav/alpine:latest latest: Pulling from sandstormkeshav/alpine 213ec9aee27d: Pull complete Digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 Status: Downloaded newer image for git.mydomain.com/sandstormkeshav/alpine:latest git.mydomain.com/sandstormkeshav/alpine:latest ``` My docker run is as follows: I do have a reverse proxy in the middle to add https but this is not a caching proxy. ``` docker run -d --name='Gitea' --net='bridge' -e TZ="America/Los_Angeles" -p '9378:3000/tcp' -p '9322:22/tcp' -v '/mnt/data/gitea':'/data':'rw' 'gitea/gitea:1' ```
GiteaMirror commented 2025-11-02 08:29:48 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Oct 29, 2022):

@KN4CK3R do you have time to take a look?

@wxiaoguang commented on GitHub (Oct 29, 2022): @KN4CK3R do you have time to take a look?
GiteaMirror commented 2025-11-02 08:29:48 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Oct 29, 2022):

I take look later

@KN4CK3R commented on GitHub (Oct 29, 2022): I take look later
GiteaMirror commented 2025-11-02 08:29:48 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Oct 29, 2022):

I really don't know what's the problem here... Still works for me:

> docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
213ec9aee27d: Pull complete
Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
> docker tag alpine gitea-dev.local-lan.li:3000/testorg/alpine:latest
> docker push gitea-dev.local-lan.li:3000/testorg/alpine:latest
The push refers to repository [gitea-dev.local-lan.li:3000/testorg/alpine]
994393dc58e7: Preparing
unauthorized: authentication required
> docker login gitea-dev.local-lan.li:3000
Username: KN4CK3R
Password:
Login Succeeded
> docker push gitea-dev.local-lan.li:3000/testorg/alpine:latest
The push refers to repository [gitea-dev.local-lan.li:3000/testorg/alpine]
994393dc58e7: Pushed
latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528
> docker logout gitea-dev.local-lan.li:3000
Removing login credentials for gitea-dev.local-lan.li:3000
> docker image rm gitea-dev.local-lan.li:3000/testorg/alpine:latest
Untagged: gitea-dev.local-lan.li:3000/testorg/alpine:latest
Untagged: gitea-dev.local-lan.li:3000/testorg/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
> docker image rm alpine:latest
Untagged: alpine:latest
Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7
> docker pull gitea-dev.local-lan.li:3000/testorg/alpine:latest
Error response from daemon: unauthorized: authentication required

testorg is a private org.
grafik

@wxiaoguang Are you able to reproduce this?

@KN4CK3R commented on GitHub (Oct 29, 2022): I really don't know what's the problem here... Still works for me: ``` > docker pull alpine Using default tag: latest latest: Pulling from library/alpine 213ec9aee27d: Pull complete Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad Status: Downloaded newer image for alpine:latest docker.io/library/alpine:latest > docker tag alpine gitea-dev.local-lan.li:3000/testorg/alpine:latest > docker push gitea-dev.local-lan.li:3000/testorg/alpine:latest The push refers to repository [gitea-dev.local-lan.li:3000/testorg/alpine] 994393dc58e7: Preparing unauthorized: authentication required > docker login gitea-dev.local-lan.li:3000 Username: KN4CK3R Password: Login Succeeded > docker push gitea-dev.local-lan.li:3000/testorg/alpine:latest The push refers to repository [gitea-dev.local-lan.li:3000/testorg/alpine] 994393dc58e7: Pushed latest: digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 size: 528 > docker logout gitea-dev.local-lan.li:3000 Removing login credentials for gitea-dev.local-lan.li:3000 > docker image rm gitea-dev.local-lan.li:3000/testorg/alpine:latest Untagged: gitea-dev.local-lan.li:3000/testorg/alpine:latest Untagged: gitea-dev.local-lan.li:3000/testorg/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 > docker image rm alpine:latest Untagged: alpine:latest Untagged: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad Deleted: sha256:9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5 Deleted: sha256:994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7 > docker pull gitea-dev.local-lan.li:3000/testorg/alpine:latest Error response from daemon: unauthorized: authentication required ``` `testorg` is a private org. ![grafik](https://user-images.githubusercontent.com/1666336/198824844-35becf29-f5fb-474d-b30f-e68e5fa86aff.png) @wxiaoguang Are you able to reproduce this?
GiteaMirror commented 2025-11-02 08:29:49 -06:00
Author
Owner
Copy Link

@davidhiendl commented on GitHub (Oct 29, 2022):

The interesting thing is I was having the issue on the 1.17.x release but I have been using the dev branch and now the 1.18.0-rc0 and the issue is not reproducible for me anymore either.

@davidhiendl commented on GitHub (Oct 29, 2022): The interesting thing is I was having the issue on the 1.17.x release but I have been using the dev branch and now the 1.18.0-rc0 and the issue is not reproducible for me anymore either.
GiteaMirror commented 2025-11-02 08:29:49 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Oct 29, 2022):

I have tested this now with 1.17.1-3 and every version responds with authentication required 🤷‍♂️

@KN4CK3R commented on GitHub (Oct 29, 2022): I have tested this now with 1.17.1-3 and every version responds with authentication required 🤷‍♂️
GiteaMirror commented 2025-11-02 08:29:49 -06:00
Author
Owner
Copy Link

@sandstormkeshav commented on GitHub (Oct 29, 2022):

I have tested this now with 1.17.1-3 and every version responds with authentication required 🤷‍♂️

I was able to confirm that authentication is required for pulling when using a private organization as you demonstrated above.
However I think the issue is if I have the user visibility set as public, but that user creates a private repository and links the packages to that repository, they still can be pulled without authentication

When setting the user visibility to private, auth is needed in order to pull packages. Is this the intended behavior that a public visibility user who has packages in a private repository can still pull packages without any authentication?

@sandstormkeshav commented on GitHub (Oct 29, 2022): > I have tested this now with 1.17.1-3 and every version responds with authentication required 🤷‍♂️ I was able to confirm that authentication is required for pulling when using a private organization as you demonstrated above. However I think the issue is if I have the user visibility set as public, but that user creates a private repository and links the packages to that repository, they still can be pulled without authentication When setting the user visibility to private, auth is needed in order to pull packages. Is this the intended behavior that a public visibility user who has packages in a private repository can still pull packages without any authentication?
GiteaMirror commented 2025-11-02 08:29:49 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Oct 29, 2022):

A linked repository is irrelevant for the package registry. It's just a way to visually link a package to a repo. Only the package owner visibility is considered. There is an open issue to add more fine granular access control.

@KN4CK3R commented on GitHub (Oct 29, 2022): A linked repository is irrelevant for the package registry. It's just a way to visually link a package to a repo. Only the package owner visibility is considered. There is an open issue to add more fine granular access control.
GiteaMirror commented 2025-11-02 08:29:50 -06:00
Author
Owner
Copy Link

@sandstormkeshav commented on GitHub (Oct 29, 2022):

Understood! Thank you for explaining, since it is expected behavior I think we can close.

@sandstormkeshav commented on GitHub (Oct 29, 2022): Understood! Thank you for explaining, since it is expected behavior I think we can close.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/needs-feedback topic/packages
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9114
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?