Closed
Description
- Gitea version (or commit ref): 1.11.5 & 1.13.0+dev-67-g24be06d7a
- Git version:
- Operating system:
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
- Log gist:
Description
It is possible to clone a public repository of a private organization ("visible only to organization members") and a limited organization ("visible to logged in users only") as an anonymous user.
To reproduce this, I did the following on https://try.gitea.io:
- create private org (
private-org) with a private and public repo (private-repoandpublic-repo) - create limited org (
limited-org) with a private and public repo (same names as above) - try to clone each repo as an anonymous user
Result:
$ git clone https://try.gitea.io/private-org/private-repo.git
Cloning into 'private-repo'...
Username for 'https://try.gitea.io':
$ git clone https://try.gitea.io/private-org/public-repo.git
Cloning into 'public-repo'...
...
Since it works as an anonymous user I could not test whether this is also the case for a user who is not a member of the organization.
$ git clone https://try.gitea.io/limited-org/private-repo.git
Cloning into 'private-repo'...
Username for 'https://try.gitea.io':
$ git clone https://try.gitea.io/limited-org/public-repo.git limited-public-repo
Cloning into 'limited-public-repo'...
...