From a8445e93204ab91065c45223bf5d4f7e06578549 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Wed, 26 Jul 2023 01:32:41 -0400
Subject: [PATCH] Remove "misc" scope check from public API endpoints (#26134)
(#26149)
Backport #26134 by @wxiaoguang
Fix #26035
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
.../development/oauth2-provider.en-us.md | 60 +++++++++----------
models/auth/token_scope.go | 2 +-
routers/api/v1/api.go | 4 +-
tests/integration/api_token_test.go | 30 ----------
4 files changed, 33 insertions(+), 63 deletions(-)
diff --git a/docs/content/development/oauth2-provider.en-us.md b/docs/content/development/oauth2-provider.en-us.md
index 11e995f0de..b3824f4b2e 100644
--- a/docs/content/development/oauth2-provider.en-us.md
+++ b/docs/content/development/oauth2-provider.en-us.md
@@ -47,36 +47,36 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t
Gitea token scopes are as follows:
-| Name | Description |
-| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------|
-| **(no scope)** | Not supported. A scope is required even for public repositories. |
-| **activitypub** | `activitypub` API routes: ActivityPub related operations. |
-| **read:activitypub** | Grants read access for ActivityPub operations. |
-| **write:activitypub** | Grants read/write/delete access for ActivityPub operations. |
-| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
-| **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
-| **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | |
-| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
-| **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
-| **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
-| **misc** | miscellaneous and settings top-level API routes. |
-| **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. |
-| **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. |
-| **notification** | `notification/*` API routes: user notification operations. |
-| **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
-| **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. |
-| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. |
-| **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. |
-| **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. |
-| **package** | `/packages/*` API routes: Packages operations |
-| **read:package** | Grants read access to package operations, such as reading and downloading available packages. |
-| **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. |
-| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. |
-| **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. |
-| **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
-| **user** | `/user/*` and `/users/*` API routes: User-related operations. |
-| **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. |
-| **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. |
+| Name | Description |
+| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **(no scope)** | Not supported. A scope is required even for public repositories. |
+| **activitypub** | `activitypub` API routes: ActivityPub related operations. |
+| **read:activitypub** | Grants read access for ActivityPub operations. |
+| **write:activitypub** | Grants read/write/delete access for ActivityPub operations. |
+| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
+| **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
+| **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. |
+| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
+| **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
+| **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
+| **misc** | Reserved for future usage. |
+| **read:misc** | Reserved for future usage. |
+| **write:misc** | Reserved for future usage. |
+| **notification** | `notification/*` API routes: user notification operations. |
+| **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
+| **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. |
+| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. |
+| **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. |
+| **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. |
+| **package** | `/packages/*` API routes: Packages operations |
+| **read:package** | Grants read access to package operations, such as reading and downloading available packages. |
+| **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. |
+| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. |
+| **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. |
+| **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
+| **user** | `/user/*` and `/users/*` API routes: User-related operations. |
+| **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. |
+| **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. |
## Client types
diff --git a/models/auth/token_scope.go b/models/auth/token_scope.go
index 61e684ea27..fe57276700 100644
--- a/models/auth/token_scope.go
+++ b/models/auth/token_scope.go
@@ -16,7 +16,7 @@ type AccessTokenScopeCategory int
const (
AccessTokenScopeCategoryActivityPub = iota
AccessTokenScopeCategoryAdmin
- AccessTokenScopeCategoryMisc
+ AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
AccessTokenScopeCategoryNotification
AccessTokenScopeCategoryOrganization
AccessTokenScopeCategoryPackage
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 3a1203628a..a1392e7ad7 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -757,7 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route {
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
}
- // Misc (requires 'misc' scope)
+ // Misc (public accessible)
m.Group("", func() {
m.Get("/version", misc.Version)
m.Get("/signing-key.gpg", misc.SigningKey)
@@ -777,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
m.Get("/repository", settings.GetGeneralRepoSettings)
})
- }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
+ })
// Notifications (requires 'notifications' scope)
m.Group("/notifications", func() {
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
index 419884d45e..1c63d07f22 100644
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
- {
- "/api/v1/markdown",
- "POST",
- []permission{
- {
- auth_model.AccessTokenScopeCategoryMisc,
- auth_model.Write,
- },
- },
- },
- {
- "/api/v1/markdown/raw",
- "POST",
- []permission{
- {
- auth_model.AccessTokenScopeCategoryMisc,
- auth_model.Write,
- },
- },
- },
{
"/api/v1/notifications",
"GET",
@@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
- {
- "/api/v1/settings/api",
- "GET",
- []permission{
- {
- auth_model.AccessTokenScopeCategoryMisc,
- auth_model.Read,
- },
- },
- },
{
"/api/v1/user",
"GET",