Prevent anonymous container access if RequireSignInView is enabled (#28877) (#28882)

Backport #28877 by @KN4CK3R Fixes #28875 If `RequireSignInView` is enabled, the ghost user has no access rights. Co-authored-by: KN4CK3R <admin@oldschoolhack.me> (cherry picked from commit b7c944b9e4)
2025-09-15 18:56:59 +00:00 · 2024-01-22 01:44:38 +08:00 · 2024-01-22 01:44:38 +08:00 · e2620642bd
commit e2620642bd
parent 80dfa56d2f
3 changed files with 24 additions and 6 deletions
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@ -114,11 +114,15 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
 	})
 }

-// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost for anonymous access)
+func apiUnauthorizedError(ctx *context.Context) {
+	ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
+	apiErrorDefined(ctx, errUnauthorized)
+}
+
+// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
 func ReqContainerAccess(ctx *context.Context) {
-	if ctx.Doer == nil {
-		ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
-		apiErrorDefined(ctx, errUnauthorized)
+	if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
+		apiUnauthorizedError(ctx)
 	}
 }

@ -138,10 +142,15 @@ func DetermineSupport(ctx *context.Context) {
 }

 // Authenticate creates a token for the current user
-// If the current user is anonymous, the ghost user is used
+// If the current user is anonymous, the ghost user is used unless RequireSignInView is enabled.
 func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	if u == nil {
+		if setting.Service.RequireSignInView {
+			apiUnauthorizedError(ctx)
+			return
+		}
+
 		u = user_model.NewGhostUser()
 	}