Unable to Push to PRs with "Allow Edits from Maintainers" and LFS usage

[bartvdbraak]

Description

Some of our developers are encountering permission issues when attempting to push changes to pull request branches, even when the "Allow edits from maintainers" option is enabled on the PR. This seems to occur specifically when Git LFS is involved.

Example 1

A maintainer attempted to push to a contributor's PR branch to resolve a merge conflict:

$ git push git@git.blender.org:Testifya/blender Testifya-ios:ios
Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U
Remote "git@git.blender.org:Testifya/blender" does not support the Git LFS locking API. Consider disabling it with:
  $ git config lfs.https://git.blender.org/Testifya/blender.git/info/lfs.locksverify false
batch request: Host key fingerprint is SHA256:ny+vcWlA5GVdVJFduVmBIyCthgqmNAXdNShi/QSv//U
error:
error: User: 26576:Brainzman with Key: 1584:<key> is not authorized to write to Testifya/blender.
error:: exit status 1

Example 2

Another developer encountered a similar issue:

$ git push git@git.blender.org:mano-wii/blender.git fix-141741:fix_141741
Remote "git@git.blender.org:mano-wii/blender.git" does not support the Git LFS locking API. Consider disabling it with:
  $ git config lfs.https://git.blender.org/mano-wii/blender.git/info/lfs.locksverify false
Uploading LFS objects:   0% (0/24), 0 B | 0 B/s, done.
batch request: error:
error: User: 13447:pragma37 with Key: 664:miguel@Miguel-Desktop is not authorized to write to mano-wii/blender.
error:: exit status 1
error: failed to push some refs to 'git.blender.org:mano-wii/blender.git'

• Using git push --no-verify (to bypass the LFS hook) seems to allow the push to go through, suggesting this is specifically related to Git LFS handling, but this is bad to use when you are trying to update LFS objects.
• It seems that Gitea’s "Allow edits from maintainers" functionality is not correctly handling permissions for pushes that involve LFS files.
• This may be a bug or an unimplemented edge case in Gitea's permission checks for LFS when pushing to forks.

Gitea Version

1.24.3 built with GNU Make 4.4.1, go1.24.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.49.1

Operating System

Ubuntu 24.04.2

How are you running Gitea?

Non-root docker image based on fork at https://github.com/blender/gitea

Database

PostgreSQL

[brechtvl]

I didn't have time to implement a solution, but from a quick investigation I found:

• There is some missing logic in authenticate in services/lfs/server.go for this, where it should also check if there exists an open pull request with allow edits from maintainers, and the user is a maintainer.
• A CanMaintainerWriteToLFS could be added in models/issues/pull_list.go, similar to the CanMaintainerWriteToBranch that is there.

[bartvdbraak]

Additionally, one developer mentioned:

Hey! I just managed to push.
I believe the problem was that, while my commits didn't contain LFS changes, the commits from Jacques did.
Those commits were already in his repo but not in mine.
After pushing a copy of the PR branch to my own repo I was able to push to his PR.

[lunny]

It seems it's https://github.com/go-gitea/gitea/blob/main/services/lfs/server.go#L540 . The permission check should also invoke CanMaintainerWriteToBranch.