fix: check quota in LFS uploads against the repository owner, not operating user (#12755)

Follow-up to the previously closed #12437; verifies git LFS quotas are checked against the repository owner not the current actor. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.  ## Release notes  - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/12755): check quota in LFS uploads against the repository owner, not operating user  Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12755 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-28 11:14:54 -04:00 · 2026-05-27 04:31:09 +02:00 · 2026-05-27 04:31:09 +02:00 · dfdd9b2e2a
commit dfdd9b2e2a
parent e435233c7f
2 changed files with 93 additions and 4 deletions
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@ -183,7 +183,7 @@ func BatchHandler(ctx *context.Context) {
 	}

 	if isUpload {
-		ok, err := quota_model.EvaluateForUser(ctx, ctx.Doer.ID, quota_model.LimitSubjectSizeGitLFS)
+		ok, err := quota_model.EvaluateForUser(ctx, repository.OwnerID, quota_model.LimitSubjectSizeGitLFS)
 		if err != nil {
 			log.Error("quota_model.EvaluateForUser: %v", err)
 			writeStatus(ctx, http.StatusInternalServerError)
@ -191,6 +191,7 @@ func BatchHandler(ctx *context.Context) {
 		}
 		if !ok {
 			writeStatusMessage(ctx, http.StatusRequestEntityTooLarge, "quota exceeded")
+			return
 		}
 	}

@ -317,8 +318,8 @@ func UploadHandler(ctx *context.Context) {
 		return
 	}

-	if exists {
-		ok, err := quota_model.EvaluateForUser(ctx, ctx.Doer.ID, quota_model.LimitSubjectSizeGitLFS)
+	if !exists {
+		ok, err := quota_model.EvaluateForUser(ctx, repository.OwnerID, quota_model.LimitSubjectSizeGitLFS)
 		if err != nil {
 			log.Error("quota_model.EvaluateForUser: %v", err)
 			writeStatus(ctx, http.StatusInternalServerError)
@ -326,6 +327,7 @@ func UploadHandler(ctx *context.Context) {
 		}
 		if !ok {
 			writeStatusMessage(ctx, http.StatusRequestEntityTooLarge, "quota exceeded")
+			return
 		}
 	}

--- a/tests/integration/quota_use_test.go
+++ b/tests/integration/quota_use_test.go
@ -16,11 +16,13 @@ import (
 	"testing"

 	"forgejo.org/models/db"
+	git_model "forgejo.org/models/git"
 	org_model "forgejo.org/models/organization"
 	quota_model "forgejo.org/models/quota"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
+	"forgejo.org/modules/lfs"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@ -365,7 +367,7 @@ func TestWebQuotaEnforcementRepoTransfer(t *testing.T) {
 	})
 }

-func TestGitQuotaEnforcement(t *testing.T) {
+func TestQuotaGitEnforcement(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		env := createQuotaWebEnv(t)
 		defer env.Cleanup()
@ -548,6 +550,55 @@ func TestGitQuotaEnforcement(t *testing.T) {
 	})
 }

+func TestQuotaGitLfsEnforcement(t *testing.T) {
+	defer test.MockVariableValue(&setting.LFS.StartServer, true)()
+
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		env := createQuotaWebEnv(t)
+		defer env.Cleanup()
+
+		t.Run("UploadHandler", func(t *testing.T) {
+			// Uploading to our repo => 413
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Users.Limited.Repo}).
+				PushLFSObject().
+				ExpectStatus(http.StatusRequestEntityTooLarge)
+
+			// Uploading to the limited org repo => 413
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Orgs.Limited.Repo}).
+				PushLFSObject().
+				ExpectStatus(http.StatusRequestEntityTooLarge)
+
+			// Uploading to the unlimited org repo => 200
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Orgs.Unlimited.Repo}).
+				PushLFSObject().
+				ExpectStatus(http.StatusOK)
+		})
+
+		t.Run("BatchHandler", func(t *testing.T) {
+			// Uploading to our repo => 413
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Users.Limited.Repo}).
+				BatchPushLFSObject().
+				ExpectStatus(http.StatusRequestEntityTooLarge)
+
+			// Uploading to the limited org repo => 413
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Orgs.Limited.Repo}).
+				BatchPushLFSObject().
+				ExpectStatus(http.StatusRequestEntityTooLarge)
+
+			// Uploading to the unlimited org repo => 200
+			env.As(t, env.Users.Limited).
+				With(Context{Repo: env.Orgs.Unlimited.Repo}).
+				BatchPushLFSObject().
+				ExpectStatus(http.StatusOK)
+		})
+	})
+}
+
 func TestQuotaConfigDefault(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		env := createQuotaWebEnv(t)
@ -793,6 +844,42 @@ func (ctx *quotaWebEnvAsContext) CreateReleaseAttachment(filename string) *quota
 	return ctx.CreateAttachment(filename, "releases")
 }

+func (ctx *quotaWebEnvAsContext) PushLFSObject() *quotaWebEnvAsContext {
+	ctx.t.Helper()
+
+	p := lfs.Pointer{Oid: "6ccce4863b70f258d691f59609d31b4502e1ba5199942d3bc5d35d17a4ce771d", Size: 5}
+	ctx.request = NewRequestWithBody(ctx.t, "PUT",
+		fmt.Sprintf("%s.git/info/lfs/objects/%s/%d",
+			ctx.Repo.Link(), p.Oid, p.Size), strings.NewReader("gitea"))
+
+	ctx.t.Cleanup(func() {
+		git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, ctx.Repo.ID, p.Oid)
+	})
+
+	return ctx
+}
+
+func (ctx *quotaWebEnvAsContext) BatchPushLFSObject() *quotaWebEnvAsContext {
+	ctx.t.Helper()
+
+	batch := &lfs.BatchRequest{
+		Operation: "upload",
+		Objects: []lfs.Pointer{
+			{Oid: "d6f175817f886ec6fbbc1515326465fa96c3bfd54a4ea06cfd6dbbd8340e0153", Size: 1},
+		},
+	}
+	ctx.request = NewRequestWithJSON(ctx.t, "POST",
+		fmt.Sprintf("%s.git/info/lfs/objects/batch", ctx.Repo.Link()), batch).
+		SetHeader("Accept", lfs.AcceptHeader).
+		SetHeader("Content-Type", lfs.MediaType)
+
+	ctx.t.Cleanup(func() {
+		git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, ctx.Repo.ID, batch.Objects[0].Oid)
+	})
+
+	return ctx
+}
+
 func (ctx *quotaWebEnvAsContext) WithoutQuota(task func(ctx *quotaWebEnvAsContext)) *quotaWebEnvAsContext {
 	ctx.t.Helper()