gitforge/routers
Mathieu Fenniak c1c02f7111 fix: don't cache write permission on first pushed git reference (#13370)
Forgejo's git pre-receive hook validates whether the authenticated user can write to the target branch during a push operation.  A caching performance optimization in the hook caused the pre-receive hook to validate only the first branch reference in the push.  While typically a push operation has the same rights for all branches on a repository, some exceptions exist which could allow a user to push to a branch, pass the validation, and then bypass checks on additional references due to the cache.  The cache has been removed, forcing all references to be validated for code write permissions.

Thanks to Gitea for identifying this issue in https://github.com/go-gitea/gitea/pull/38103/changes/f25811942cea35233299efdbdfeec40663d4807a. This effort has been re-engineered for Forgejo, consistent with Forgejo's AI Agreement.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13370
Reviewed-by: Beowulf <beowulf@beocode.eu>
2026-07-09 06:07:05 +02:00
..
api chore: improve CompareDiff (#13314) 2026-07-06 15:02:30 +02:00
common fix: REQUIRE_SIGNIN_VIEW caches setting before setting initialization (#13304) 2026-07-04 18:50:11 +02:00
install
private fix: don't cache write permission on first pushed git reference (#13370) 2026-07-09 06:07:05 +02:00
utils
web fix: REQUIRE_SIGNIN_VIEW caches setting before setting initialization (#13304) 2026-07-04 18:50:11 +02:00
init.go fix: compliance with [migrations].ALLOWED_DOMAINS, ...BLOCKED_DOMAINS, and ....ALLOW_LOCALNETWORKS for git & LFS ops (#13129) 2026-06-23 23:40:25 +02:00