From 430df17226ed4b4461e44db60d43c908dd93a7e5 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sun, 21 Jan 2024 10:44:35 +0000
Subject: [PATCH 1/3] Prevent anonymous access if RequireSignInView is enabled.

---
 modules/context/package.go                    |  2 +-
 routers/api/packages/container/container.go   | 21 +++++++++++++------
 .../api_packages_container_test.go            |  9 ++++++++
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/modules/context/package.go b/modules/context/package.go
index 87e817c1cd68..c452c657e782 100644
--- a/modules/context/package.go
+++ b/modules/context/package.go
@@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, string, any))
 }
 
 func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) {
-	if setting.Service.RequireSignInView && doer == nil {
+	if setting.Service.RequireSignInView && (doer == nil || doer.IsGhost()) {
 		return perm.AccessModeNone, nil
 	}
 
diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index dce38092641e..4ea2499ef6ae 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -114,11 +114,15 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
 	})
 }
 
-// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost for anonymous access)
+func apiUnauthorizedError(ctx *context.Context) {
+	ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
+	apiErrorDefined(ctx, errUnauthorized)
+}
+
+// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
 func ReqContainerAccess(ctx *context.Context) {
-	if ctx.Doer == nil {
-		ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
-		apiErrorDefined(ctx, errUnauthorized)
+	if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
+		apiUnauthorizedError(ctx)
 	}
 }
 
@@ -138,11 +142,16 @@ func DetermineSupport(ctx *context.Context) {
 }
 
 // Authenticate creates a token for the current user
-// If the current user is anonymous, the ghost user is used
+// If the current user is anonymous, the ghost user is used expect RequireSignInView is enabled.
 func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	if u == nil {
-		u = user_model.NewGhostUser()
+		if setting.Service.RequireSignInView {
+			apiUnauthorizedError(ctx)
+			return
+		} else {
+			u = user_model.NewGhostUser()
+		}
 	}
 
 	token, err := packages_service.CreateAuthorizationToken(u)
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index f32d33888b40..509ad424e6cd 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -21,6 +21,7 @@ import (
 	container_module "code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/minio/sha256-simd"
@@ -106,6 +107,14 @@ func TestPackageContainer(t *testing.T) {
 			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)).
 				AddTokenAuth(anonymousToken)
 			MakeRequest(t, req, http.StatusOK)
+
+			defer test.MockVariableValue(&setting.Service.RequireSignInView, true)()
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
+			MakeRequest(t, req, http.StatusUnauthorized)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
+			MakeRequest(t, req, http.StatusUnauthorized)
 		})
 
 		t.Run("User", func(t *testing.T) {

From 484011c1864aea79fa4e732703a508489672cce4 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sun, 21 Jan 2024 11:35:27 +0000
Subject: [PATCH 2/3] Fix lint.

---
 routers/api/packages/container/container.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index 4ea2499ef6ae..86a286de3b13 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -149,9 +149,9 @@ func Authenticate(ctx *context.Context) {
 		if setting.Service.RequireSignInView {
 			apiUnauthorizedError(ctx)
 			return
-		} else {
-			u = user_model.NewGhostUser()
 		}
+
+		u = user_model.NewGhostUser()
 	}
 
 	token, err := packages_service.CreateAuthorizationToken(u)

From 090cec1fd42af8cf698c4a46cde6a5045834d37d Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sun, 21 Jan 2024 16:50:26 +0100
Subject: [PATCH 3/3] Update routers/api/packages/container/container.go

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
---
 routers/api/packages/container/container.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index 86a286de3b13..8621242da4eb 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -142,7 +142,7 @@ func DetermineSupport(ctx *context.Context) {
 }
 
 // Authenticate creates a token for the current user
-// If the current user is anonymous, the ghost user is used expect RequireSignInView is enabled.
+// If the current user is anonymous, the ghost user is used unless RequireSignInView is enabled.
 func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	if u == nil {