summaryrefslogtreecommitdiffstats
path: root/routers/private/hook_pre_receive.go
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--routers/private/hook_pre_receive.go629
1 files changed, 629 insertions, 0 deletions
diff --git a/routers/private/hook_pre_receive.go b/routers/private/hook_pre_receive.go
new file mode 100644
index 0000000..4b8439d
--- /dev/null
+++ b/routers/private/hook_pre_receive.go
@@ -0,0 +1,629 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package private
+
+import (
+ "errors"
+ "fmt"
+ "net/http"
+ "os"
+
+ "code.gitea.io/gitea/models"
+ asymkey_model "code.gitea.io/gitea/models/asymkey"
+ git_model "code.gitea.io/gitea/models/git"
+ issues_model "code.gitea.io/gitea/models/issues"
+ perm_model "code.gitea.io/gitea/models/perm"
+ access_model "code.gitea.io/gitea/models/perm/access"
+ quota_model "code.gitea.io/gitea/models/quota"
+ "code.gitea.io/gitea/models/unit"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/git"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/private"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web"
+ gitea_context "code.gitea.io/gitea/services/context"
+ pull_service "code.gitea.io/gitea/services/pull"
+)
+
+type preReceiveContext struct {
+ *gitea_context.PrivateContext
+
+ // loadedPusher indicates that where the following information are loaded
+ loadedPusher bool
+ user *user_model.User // it's the org user if a DeployKey is used
+ userPerm access_model.Permission
+ deployKeyAccessMode perm_model.AccessMode
+
+ canCreatePullRequest bool
+ checkedCanCreatePullRequest bool
+
+ canWriteCode bool
+ checkedCanWriteCode bool
+
+ protectedTags []*git_model.ProtectedTag
+ gotProtectedTags bool
+
+ env []string
+
+ opts *private.HookOptions
+
+ isOverQuota bool
+
+ branchName string
+}
+
+// CanWriteCode returns true if pusher can write code
+func (ctx *preReceiveContext) CanWriteCode() bool {
+ if !ctx.checkedCanWriteCode {
+ if !ctx.loadPusherAndPermission() {
+ return false
+ }
+ ctx.canWriteCode = issues_model.CanMaintainerWriteToBranch(ctx, ctx.userPerm, ctx.branchName, ctx.user) || ctx.deployKeyAccessMode >= perm_model.AccessModeWrite
+ ctx.checkedCanWriteCode = true
+ }
+ return ctx.canWriteCode
+}
+
+// AssertCanWriteCode returns true if pusher can write code
+func (ctx *preReceiveContext) AssertCanWriteCode() bool {
+ if !ctx.CanWriteCode() {
+ if ctx.Written() {
+ return false
+ }
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: "User permission denied for writing.",
+ })
+ return false
+ }
+ return true
+}
+
+// CanCreatePullRequest returns true if pusher can create pull requests
+func (ctx *preReceiveContext) CanCreatePullRequest() bool {
+ if !ctx.checkedCanCreatePullRequest {
+ if !ctx.loadPusherAndPermission() {
+ return false
+ }
+ ctx.canCreatePullRequest = ctx.userPerm.CanRead(unit.TypePullRequests)
+ ctx.checkedCanCreatePullRequest = true
+ }
+ return ctx.canCreatePullRequest
+}
+
+// AssertCreatePullRequest returns true if can create pull requests
+func (ctx *preReceiveContext) AssertCreatePullRequest() bool {
+ if !ctx.CanCreatePullRequest() {
+ if ctx.Written() {
+ return false
+ }
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: "User permission denied for creating pull-request.",
+ })
+ return false
+ }
+ return true
+}
+
+var errPermissionDenied = errors.New("permission denied for changing repo settings")
+
+func (ctx *preReceiveContext) canChangeSettings() error {
+ if !ctx.loadPusherAndPermission() {
+ return errPermissionDenied
+ }
+
+ if !ctx.userPerm.IsOwner() && !ctx.userPerm.IsAdmin() {
+ return errPermissionDenied
+ }
+
+ if ctx.Repo.Repository.IsFork {
+ return errPermissionDenied
+ }
+
+ return nil
+}
+
+func (ctx *preReceiveContext) validatePushOptions() error {
+ opts := web.GetForm(ctx).(*private.HookOptions)
+
+ if opts.GetGitPushOptions().ChangeRepoSettings() {
+ return ctx.canChangeSettings()
+ }
+
+ return nil
+}
+
+func (ctx *preReceiveContext) assertPushOptions() bool {
+ if err := ctx.validatePushOptions(); err != nil {
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("options validation failed: %v", err),
+ })
+ return false
+ }
+ return true
+}
+
+func (ctx *preReceiveContext) checkQuota() error {
+ if !setting.Quota.Enabled {
+ ctx.isOverQuota = false
+ return nil
+ }
+
+ if !ctx.loadPusherAndPermission() {
+ ctx.isOverQuota = true
+ return nil
+ }
+
+ ok, err := quota_model.EvaluateForUser(ctx, ctx.PrivateContext.Repo.Repository.OwnerID, quota_model.LimitSubjectSizeReposAll)
+ if err != nil {
+ log.Error("quota_model.EvaluateForUser: %v", err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ UserMsg: "Error checking user quota",
+ })
+ return err
+ }
+
+ ctx.isOverQuota = !ok
+ return nil
+}
+
+func (ctx *preReceiveContext) quotaExceeded() {
+ ctx.JSON(http.StatusRequestEntityTooLarge, private.Response{
+ UserMsg: "Quota exceeded",
+ })
+}
+
+// HookPreReceive checks whether a individual commit is acceptable
+func HookPreReceive(ctx *gitea_context.PrivateContext) {
+ opts := web.GetForm(ctx).(*private.HookOptions)
+
+ ourCtx := &preReceiveContext{
+ PrivateContext: ctx,
+ env: generateGitEnv(opts), // Generate git environment for checking commits
+ opts: opts,
+ }
+
+ if !ourCtx.assertPushOptions() {
+ log.Trace("Git push options validation failed")
+ return
+ }
+ log.Trace("Git push options validation succeeded")
+
+ if err := ourCtx.checkQuota(); err != nil {
+ return
+ }
+
+ // Iterate across the provided old commit IDs
+ for i := range opts.OldCommitIDs {
+ oldCommitID := opts.OldCommitIDs[i]
+ newCommitID := opts.NewCommitIDs[i]
+ refFullName := opts.RefFullNames[i]
+
+ switch {
+ case refFullName.IsBranch():
+ preReceiveBranch(ourCtx, oldCommitID, newCommitID, refFullName)
+ case refFullName.IsTag():
+ preReceiveTag(ourCtx, oldCommitID, newCommitID, refFullName)
+ case git.SupportProcReceive && refFullName.IsFor():
+ preReceiveFor(ourCtx, oldCommitID, newCommitID, refFullName)
+ default:
+ if ourCtx.isOverQuota {
+ ourCtx.quotaExceeded()
+ return
+ }
+ ourCtx.AssertCanWriteCode()
+ }
+ if ctx.Written() {
+ return
+ }
+ }
+
+ ctx.PlainText(http.StatusOK, "ok")
+}
+
+func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, refFullName git.RefName) {
+ branchName := refFullName.BranchName()
+ ctx.branchName = branchName
+
+ if !ctx.AssertCanWriteCode() {
+ return
+ }
+
+ repo := ctx.Repo.Repository
+ gitRepo := ctx.Repo.GitRepo
+ objectFormat := ctx.Repo.GetObjectFormat()
+
+ if branchName == repo.DefaultBranch && newCommitID == objectFormat.EmptyObjectID().String() {
+ log.Warn("Forbidden: Branch: %s is the default branch in %-v and cannot be deleted", branchName, repo)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is the default branch and cannot be deleted", branchName),
+ })
+ return
+ }
+
+ protectBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, branchName)
+ if err != nil {
+ log.Error("Unable to get protected branch: %s in %-v Error: %v", branchName, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: err.Error(),
+ })
+ return
+ }
+
+ // Allow pushes to non-protected branches
+ if protectBranch == nil {
+ // ...unless the user is over quota, and the operation is not a delete
+ if newCommitID != objectFormat.EmptyObjectID().String() && ctx.isOverQuota {
+ ctx.quotaExceeded()
+ }
+
+ return
+ }
+ protectBranch.Repo = repo
+
+ // This ref is a protected branch.
+ //
+ // First of all we need to enforce absolutely:
+ //
+ // 1. Detect and prevent deletion of the branch
+ if newCommitID == objectFormat.EmptyObjectID().String() {
+ log.Warn("Forbidden: Branch: %s in %-v is protected from deletion", branchName, repo)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is protected from deletion", branchName),
+ })
+ return
+ }
+
+ // 2. Disallow force pushes to protected branches
+ if oldCommitID != objectFormat.EmptyObjectID().String() {
+ output, _, err := git.NewCommand(ctx, "rev-list", "--max-count=1").AddDynamicArguments(oldCommitID, "^"+newCommitID).RunStdString(&git.RunOpts{Dir: repo.RepoPath(), Env: ctx.env})
+ if err != nil {
+ log.Error("Unable to detect force push between: %s and %s in %-v Error: %v", oldCommitID, newCommitID, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Fail to detect force push: %v", err),
+ })
+ return
+ } else if len(output) > 0 {
+ log.Warn("Forbidden: Branch: %s in %-v is protected from force push", branchName, repo)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is protected from force push", branchName),
+ })
+ return
+ }
+ }
+
+ // 3. Enforce require signed commits
+ if protectBranch.RequireSignedCommits {
+ err := verifyCommits(oldCommitID, newCommitID, gitRepo, ctx.env)
+ if err != nil {
+ if !isErrUnverifiedCommit(err) {
+ log.Error("Unable to check commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to check commits from %s to %s: %v", oldCommitID, newCommitID, err),
+ })
+ return
+ }
+ unverifiedCommit := err.(*errUnverifiedCommit).sha
+ log.Warn("Forbidden: Branch: %s in %-v is protected from unverified commit %s", branchName, repo, unverifiedCommit)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is protected from unverified commit %s", branchName, unverifiedCommit),
+ })
+ return
+ }
+ }
+
+ // Now there are several tests which can be overridden:
+ //
+ // 4. Check protected file patterns - this is overridable from the UI
+ changedProtectedfiles := false
+ protectedFilePath := ""
+
+ globs := protectBranch.GetProtectedFilePatterns()
+ if len(globs) > 0 {
+ _, err := pull_service.CheckFileProtection(gitRepo, oldCommitID, newCommitID, globs, 1, ctx.env)
+ if err != nil {
+ if !models.IsErrFilePathProtected(err) {
+ log.Error("Unable to check file protection for commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to check file protection for commits from %s to %s: %v", oldCommitID, newCommitID, err),
+ })
+ return
+ }
+
+ changedProtectedfiles = true
+ protectedFilePath = err.(models.ErrFilePathProtected).Path
+ }
+ }
+
+ // 5. Check if the doer is allowed to push
+ var canPush bool
+ if ctx.opts.DeployKeyID != 0 {
+ canPush = !changedProtectedfiles && protectBranch.CanPush && (!protectBranch.EnableWhitelist || protectBranch.WhitelistDeployKeys)
+ } else {
+ user, err := user_model.GetUserByID(ctx, ctx.opts.UserID)
+ if err != nil {
+ log.Error("Unable to GetUserByID for commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to GetUserByID for commits from %s to %s: %v", oldCommitID, newCommitID, err),
+ })
+ return
+ }
+ canPush = !changedProtectedfiles && protectBranch.CanUserPush(ctx, user)
+ }
+
+ // 6. If we're not allowed to push directly
+ if !canPush {
+ // Is this is a merge from the UI/API?
+ if ctx.opts.PullRequestID == 0 {
+ // 6a. If we're not merging from the UI/API then there are two ways we got here:
+ //
+ // We are changing a protected file and we're not allowed to do that
+ if changedProtectedfiles {
+ log.Warn("Forbidden: Branch: %s in %-v is protected from changing file %s", branchName, repo, protectedFilePath)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is protected from changing file %s", branchName, protectedFilePath),
+ })
+ return
+ }
+
+ // Allow commits that only touch unprotected files
+ globs := protectBranch.GetUnprotectedFilePatterns()
+ if len(globs) > 0 {
+ unprotectedFilesOnly, err := pull_service.CheckUnprotectedFiles(gitRepo, oldCommitID, newCommitID, globs, ctx.env)
+ if err != nil {
+ log.Error("Unable to check file protection for commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to check file protection for commits from %s to %s: %v", oldCommitID, newCommitID, err),
+ })
+ return
+ }
+ if unprotectedFilesOnly {
+ // Commit only touches unprotected files, this is allowed
+ return
+ }
+ }
+
+ // Or we're simply not able to push to this protected branch
+ log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v", ctx.opts.UserID, branchName, repo)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
+ })
+ return
+ }
+ // 6b. Merge (from UI or API)
+
+ // Get the PR, user and permissions for the user in the repository
+ pr, err := issues_model.GetPullRequestByID(ctx, ctx.opts.PullRequestID)
+ if err != nil {
+ log.Error("Unable to get PullRequest %d Error: %v", ctx.opts.PullRequestID, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get PullRequest %d Error: %v", ctx.opts.PullRequestID, err),
+ })
+ return
+ }
+
+ // although we should have called `loadPusherAndPermission` before, here we call it explicitly again because we need to access ctx.user below
+ if !ctx.loadPusherAndPermission() {
+ // if error occurs, loadPusherAndPermission had written the error response
+ return
+ }
+
+ // Now check if the user is allowed to merge PRs for this repository
+ // Note: we can use ctx.perm and ctx.user directly as they will have been loaded above
+ allowedMerge, err := pull_service.IsUserAllowedToMerge(ctx, pr, ctx.userPerm, ctx.user)
+ if err != nil {
+ log.Error("Error calculating if allowed to merge: %v", err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Error calculating if allowed to merge: %v", err),
+ })
+ return
+ }
+
+ if !allowedMerge {
+ log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v and is not allowed to merge pr #%d", ctx.opts.UserID, branchName, repo, pr.Index)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
+ })
+ return
+ }
+
+ // If we're an admin for the instance, we can ignore checks
+ if ctx.user.IsAdmin {
+ return
+ }
+
+ // It's not allowed t overwrite protected files. Unless if the user is an
+ // admin and the protected branch rule doesn't apply to admins.
+ if changedProtectedfiles && (!ctx.userPerm.IsAdmin() || protectBranch.ApplyToAdmins) {
+ log.Warn("Forbidden: Branch: %s in %-v is protected from changing file %s", branchName, repo, protectedFilePath)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("branch %s is protected from changing file %s", branchName, protectedFilePath),
+ })
+ return
+ }
+
+ // Check all status checks and reviews are ok
+ if pb, err := pull_service.CheckPullBranchProtections(ctx, pr, true); err != nil {
+ if models.IsErrDisallowedToMerge(err) {
+ // Allow this if the rule doesn't apply to admins and the user is an admin.
+ if ctx.userPerm.IsAdmin() && !pb.ApplyToAdmins {
+ return
+ }
+ log.Warn("Forbidden: User %d is not allowed push to protected branch %s in %-v and pr #%d is not ready to be merged: %s", ctx.opts.UserID, branchName, repo, pr.Index, err.Error())
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("Not allowed to push to protected branch %s and pr #%d is not ready to be merged: %s", branchName, ctx.opts.PullRequestID, err.Error()),
+ })
+ return
+ }
+ log.Error("Unable to check if mergeable: protected branch %s in %-v and pr #%d. Error: %v", ctx.opts.UserID, branchName, repo, pr.Index, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get status of pull request %d. Error: %v", ctx.opts.PullRequestID, err),
+ })
+ return
+ }
+ }
+}
+
+func preReceiveTag(ctx *preReceiveContext, oldCommitID, newCommitID string, refFullName git.RefName) { //nolint:unparam
+ if !ctx.AssertCanWriteCode() {
+ return
+ }
+
+ tagName := refFullName.TagName()
+
+ if !ctx.gotProtectedTags {
+ var err error
+ ctx.protectedTags, err = git_model.GetProtectedTags(ctx, ctx.Repo.Repository.ID)
+ if err != nil {
+ log.Error("Unable to get protected tags for %-v Error: %v", ctx.Repo.Repository, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: err.Error(),
+ })
+ return
+ }
+ ctx.gotProtectedTags = true
+ }
+
+ isAllowed, err := git_model.IsUserAllowedToControlTag(ctx, ctx.protectedTags, tagName, ctx.opts.UserID)
+ if err != nil {
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: err.Error(),
+ })
+ return
+ }
+ if !isAllowed {
+ log.Warn("Forbidden: Tag %s in %-v is protected", tagName, ctx.Repo.Repository)
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("Tag %s is protected", tagName),
+ })
+ return
+ }
+
+ // If the user is over quota, and the push isn't a tag deletion, deny it
+ if ctx.isOverQuota {
+ objectFormat := ctx.Repo.GetObjectFormat()
+ if newCommitID != objectFormat.EmptyObjectID().String() {
+ ctx.quotaExceeded()
+ return
+ }
+ }
+}
+
+func preReceiveFor(ctx *preReceiveContext, oldCommitID, newCommitID string, refFullName git.RefName) { //nolint:unparam
+ if !ctx.AssertCreatePullRequest() {
+ return
+ }
+
+ if ctx.Repo.Repository.IsEmpty {
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: "Can't create pull request for an empty repository.",
+ })
+ return
+ }
+
+ if ctx.opts.IsWiki {
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: "Pull requests are not supported on the wiki.",
+ })
+ return
+ }
+
+ baseBranchName := refFullName.ForBranchName()
+
+ baseBranchExist := false
+ if ctx.Repo.GitRepo.IsBranchExist(baseBranchName) {
+ baseBranchExist = true
+ }
+
+ if !baseBranchExist {
+ for p, v := range baseBranchName {
+ if v == '/' && ctx.Repo.GitRepo.IsBranchExist(baseBranchName[:p]) && p != len(baseBranchName)-1 {
+ baseBranchExist = true
+ break
+ }
+ }
+ }
+
+ if !baseBranchExist {
+ ctx.JSON(http.StatusForbidden, private.Response{
+ UserMsg: fmt.Sprintf("Unexpected ref: %s", refFullName),
+ })
+ return
+ }
+}
+
+func generateGitEnv(opts *private.HookOptions) (env []string) {
+ env = os.Environ()
+ if opts.GitAlternativeObjectDirectories != "" {
+ env = append(env,
+ private.GitAlternativeObjectDirectories+"="+opts.GitAlternativeObjectDirectories)
+ }
+ if opts.GitObjectDirectory != "" {
+ env = append(env,
+ private.GitObjectDirectory+"="+opts.GitObjectDirectory)
+ }
+ if opts.GitQuarantinePath != "" {
+ env = append(env,
+ private.GitQuarantinePath+"="+opts.GitQuarantinePath)
+ }
+ return env
+}
+
+// loadPusherAndPermission returns false if an error occurs, and it writes the error response
+func (ctx *preReceiveContext) loadPusherAndPermission() bool {
+ if ctx.loadedPusher {
+ return true
+ }
+
+ if ctx.opts.UserID == user_model.ActionsUserID {
+ ctx.user = user_model.NewActionsUser()
+ ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
+ if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
+ log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get User id %d Error: %v", ctx.opts.UserID, err),
+ })
+ return false
+ }
+ ctx.userPerm.Units = ctx.Repo.Repository.Units
+ ctx.userPerm.UnitsMode = make(map[unit.Type]perm_model.AccessMode)
+ for _, u := range ctx.Repo.Repository.Units {
+ ctx.userPerm.UnitsMode[u.Type] = ctx.userPerm.AccessMode
+ }
+ } else {
+ user, err := user_model.GetUserByID(ctx, ctx.opts.UserID)
+ if err != nil {
+ log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get User id %d Error: %v", ctx.opts.UserID, err),
+ })
+ return false
+ }
+ ctx.user = user
+ userPerm, err := access_model.GetUserRepoPermission(ctx, ctx.Repo.Repository, user)
+ if err != nil {
+ log.Error("Unable to get Repo permission of repo %s/%s of User %s: %v", ctx.Repo.Repository.OwnerName, ctx.Repo.Repository.Name, user.Name, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get Repo permission of repo %s/%s of User %s: %v", ctx.Repo.Repository.OwnerName, ctx.Repo.Repository.Name, user.Name, err),
+ })
+ return false
+ }
+ ctx.userPerm = userPerm
+ }
+
+ if ctx.opts.DeployKeyID != 0 {
+ deployKey, err := asymkey_model.GetDeployKeyByID(ctx, ctx.opts.DeployKeyID)
+ if err != nil {
+ log.Error("Unable to get DeployKey id %d Error: %v", ctx.opts.DeployKeyID, err)
+ ctx.JSON(http.StatusInternalServerError, private.Response{
+ Err: fmt.Sprintf("Unable to get DeployKey id %d Error: %v", ctx.opts.DeployKeyID, err),
+ })
+ return false
+ }
+ ctx.deployKeyAccessMode = deployKey.Mode
+ }
+
+ ctx.loadedPusher = true
+ return true
+}