From d212c4606a6eb470067d5302b2350d288d4d9c88 Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Sun, 16 Feb 2025 01:48:39 +0800
Subject: {ssh_*,acl}.go: Check ACL when receiving packs

---
 ssh_handle_receive_pack.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'ssh_handle_receive_pack.go')

diff --git a/ssh_handle_receive_pack.go b/ssh_handle_receive_pack.go
index 3395e24..30825ad 100644
--- a/ssh_handle_receive_pack.go
+++ b/ssh_handle_receive_pack.go
@@ -1,6 +1,8 @@
 package main
 
 import (
+	"errors"
+
 	glider_ssh "github.com/gliderlabs/ssh"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-git/v5/plumbing/protocol/packp"
@@ -8,11 +10,16 @@ import (
 	transport_server "github.com/go-git/go-git/v5/plumbing/transport/server"
 )
 
+var err_unauthorized_push = errors.New("You are not authorized to push to this repository")
+
 func ssh_handle_receive_pack(session glider_ssh.Session, pubkey string, repo_identifier string) (err error) {
-	repo_path, err := get_repo_path_from_ssh_path(session.Context(), repo_identifier)
+	repo_path, access, err := get_repo_path_perms_from_ssh_path_pubkey(session.Context(), repo_identifier, pubkey)
 	if err != nil {
 		return err
 	}
+	if !access {
+		return err_unauthorized_push
+	}
 	endpoint, err := transport.NewEndpoint("/")
 	if err != nil {
 		return err
-- 
cgit v1.2.3