Closed
Description
Description
No pages should be accessible without signing in when REQUIRE_SIGNIN_VIEW = true, but the Packages page can be accessed via URL: https://<server_url>/<org>/-/packages. Packages can also be downloaded this way.
I would also expect that if the linked repository is not viewable, then the package should not be accessible either (via not being signed in or being signed in but not having permissions to view that repo).
When accessing that URL while not signed in the router log shows:
2022/06/23 17:08:02 [62b4185a] router: completed GET /core/-/packages for 203.220.100.202:0, 200 OK in 45.4ms @ user/package.go:33(user.ListPackages)
2022/06/23 17:08:02 [62b4185a-2] router: completed GET /assets/css/index.css?v=29fca9d70ab517836c961cc4b3be8719 for 203.220.100.202:0, 200 OK in 0.4ms @ public/public.go:42(AssetsHandler)
2022/06/23 17:08:02 [62b4185a-3] router: completed GET /avatar/b7de109bda740fec89d58bb5fe3d9a00?size=72 for 203.220.100.202:0, 303 See Other in 1.5ms @ user/avatar.go:45(user.AvatarByEmailHash)
2022/06/23 17:08:02 [62b4185a-4] router: completed GET /assets/img/favicon.svg for 203.220.100.202:0, 200 OK in 0.2ms @ public/public.go:42(AssetsHandler)Gitea Version
1.17.0+rc1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
Ubuntu 20.04.4 Server
How are you running Gitea?
Docker, gitea/gitea:latest, 1.17.0+rc1
Database
SQLite