mirror of
https://github.com/go-gitea/gitea.git
synced 2024-11-04 08:17:24 -05:00
Remove "misc" scope check from public API endpoints (#26134)
Fix #26035
This commit is contained in:
parent
9ed3700ad2
commit
915cdf8f87
@ -52,20 +52,20 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t
|
|||||||
Gitea token scopes are as follows:
|
Gitea token scopes are as follows:
|
||||||
|
|
||||||
| Name | Description |
|
| Name | Description |
|
||||||
| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------|
|
| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| **(no scope)** | Not supported. A scope is required even for public repositories. |
|
| **(no scope)** | Not supported. A scope is required even for public repositories. |
|
||||||
| **activitypub** | `activitypub` API routes: ActivityPub related operations. |
|
| **activitypub** | `activitypub` API routes: ActivityPub related operations. |
|
||||||
| **read:activitypub** | Grants read access for ActivityPub operations. |
|
| **read:activitypub** | Grants read access for ActivityPub operations. |
|
||||||
| **write:activitypub** | Grants read/write/delete access for ActivityPub operations. |
|
| **write:activitypub** | Grants read/write/delete access for ActivityPub operations. |
|
||||||
| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
|
| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
|
||||||
| **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
|
| **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
|
||||||
| **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | |
|
| **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. |
|
||||||
| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
|
| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
|
||||||
| **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
|
| **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
|
||||||
| **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
|
| **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
|
||||||
| **misc** | miscellaneous and settings top-level API routes. |
|
| **misc** | Reserved for future usage. |
|
||||||
| **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. |
|
| **read:misc** | Reserved for future usage. |
|
||||||
| **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. |
|
| **write:misc** | Reserved for future usage. |
|
||||||
| **notification** | `notification/*` API routes: user notification operations. |
|
| **notification** | `notification/*` API routes: user notification operations. |
|
||||||
| **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
|
| **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
|
||||||
| **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. |
|
| **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. |
|
||||||
|
@ -16,7 +16,7 @@ type AccessTokenScopeCategory int
|
|||||||
const (
|
const (
|
||||||
AccessTokenScopeCategoryActivityPub = iota
|
AccessTokenScopeCategoryActivityPub = iota
|
||||||
AccessTokenScopeCategoryAdmin
|
AccessTokenScopeCategoryAdmin
|
||||||
AccessTokenScopeCategoryMisc
|
AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
|
||||||
AccessTokenScopeCategoryNotification
|
AccessTokenScopeCategoryNotification
|
||||||
AccessTokenScopeCategoryOrganization
|
AccessTokenScopeCategoryOrganization
|
||||||
AccessTokenScopeCategoryPackage
|
AccessTokenScopeCategoryPackage
|
||||||
|
@ -751,7 +751,7 @@ func Routes() *web.Route {
|
|||||||
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
|
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Misc (requires 'misc' scope)
|
// Misc (public accessible)
|
||||||
m.Group("", func() {
|
m.Group("", func() {
|
||||||
m.Get("/version", misc.Version)
|
m.Get("/version", misc.Version)
|
||||||
m.Get("/signing-key.gpg", misc.SigningKey)
|
m.Get("/signing-key.gpg", misc.SigningKey)
|
||||||
@ -771,7 +771,7 @@ func Routes() *web.Route {
|
|||||||
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
|
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
|
||||||
m.Get("/repository", settings.GetGeneralRepoSettings)
|
m.Get("/repository", settings.GetGeneralRepoSettings)
|
||||||
})
|
})
|
||||||
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
|
})
|
||||||
|
|
||||||
// Notifications (requires 'notifications' scope)
|
// Notifications (requires 'notifications' scope)
|
||||||
m.Group("/notifications", func() {
|
m.Group("/notifications", func() {
|
||||||
|
@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"/api/v1/markdown",
|
|
||||||
"POST",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Write,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"/api/v1/markdown/raw",
|
|
||||||
"POST",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Write,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"/api/v1/notifications",
|
"/api/v1/notifications",
|
||||||
"GET",
|
"GET",
|
||||||
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"/api/v1/settings/api",
|
|
||||||
"GET",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Read,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"/api/v1/user",
|
"/api/v1/user",
|
||||||
"GET",
|
"GET",
|
||||||
|
Loading…
Reference in New Issue
Block a user