forked from gitea/gitea
1
0
Fork 0

Remove "misc" scope check from public API endpoints (#26134) (#26149)

Backport #26134 by @wxiaoguang

Fix #26035

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Giteabot 2023-07-26 01:32:41 -04:00 committed by GitHub
parent 0f73be0ae3
commit a8445e9320
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 63 deletions

View File

@ -47,36 +47,36 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t
Gitea token scopes are as follows: Gitea token scopes are as follows:
| Name | Description | | Name | Description |
| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------| | ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
| **(no scope)** | Not supported. A scope is required even for public repositories. | | **(no scope)** | Not supported. A scope is required even for public repositories. |
| **activitypub** | `activitypub` API routes: ActivityPub related operations. | | **activitypub** | `activitypub` API routes: ActivityPub related operations. |
| &nbsp;&nbsp;&nbsp; **read:activitypub** | Grants read access for ActivityPub operations. | | &nbsp;&nbsp;&nbsp; **read:activitypub** | Grants read access for ActivityPub operations. |
| &nbsp;&nbsp;&nbsp; **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | | &nbsp;&nbsp;&nbsp; **write:activitypub** | Grants read/write/delete access for ActivityPub operations. |
| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | | **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
| &nbsp;&nbsp;&nbsp; **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | | &nbsp;&nbsp;&nbsp; **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
| &nbsp;&nbsp;&nbsp; **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | | | &nbsp;&nbsp;&nbsp; **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. |
| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | | **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
| &nbsp;&nbsp;&nbsp; **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | | &nbsp;&nbsp;&nbsp; **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
| &nbsp;&nbsp;&nbsp; **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | | &nbsp;&nbsp;&nbsp; **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
| **misc** | miscellaneous and settings top-level API routes. | | **misc** | Reserved for future usage. |
| &nbsp;&nbsp;&nbsp; **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. | | &nbsp;&nbsp;&nbsp; **read:misc** | Reserved for future usage. |
| &nbsp;&nbsp;&nbsp; **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. | | &nbsp;&nbsp;&nbsp; **write:misc** | Reserved for future usage. |
| **notification** | `notification/*` API routes: user notification operations. | | **notification** | `notification/*` API routes: user notification operations. |
| &nbsp;&nbsp;&nbsp; **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | | &nbsp;&nbsp;&nbsp; **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
| &nbsp;&nbsp;&nbsp; **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | | &nbsp;&nbsp;&nbsp; **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. |
| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | | **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. |
| &nbsp;&nbsp;&nbsp; **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | | &nbsp;&nbsp;&nbsp; **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. |
| &nbsp;&nbsp;&nbsp; **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | | &nbsp;&nbsp;&nbsp; **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. |
| **package** | `/packages/*` API routes: Packages operations | | **package** | `/packages/*` API routes: Packages operations |
| &nbsp;&nbsp;&nbsp; **read:package** | Grants read access to package operations, such as reading and downloading available packages. | | &nbsp;&nbsp;&nbsp; **read:package** | Grants read access to package operations, such as reading and downloading available packages. |
| &nbsp;&nbsp;&nbsp; **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | | &nbsp;&nbsp;&nbsp; **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. |
| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | | **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. |
| &nbsp;&nbsp;&nbsp; **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | | &nbsp;&nbsp;&nbsp; **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. |
| &nbsp;&nbsp;&nbsp; **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | | &nbsp;&nbsp;&nbsp; **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
| **user** | `/user/*` and `/users/*` API routes: User-related operations. | | **user** | `/user/*` and `/users/*` API routes: User-related operations. |
| &nbsp;&nbsp;&nbsp; **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | | &nbsp;&nbsp;&nbsp; **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. |
| &nbsp;&nbsp;&nbsp; **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | | &nbsp;&nbsp;&nbsp; **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. |
## Client types ## Client types

View File

@ -16,7 +16,7 @@ type AccessTokenScopeCategory int
const ( const (
AccessTokenScopeCategoryActivityPub = iota AccessTokenScopeCategoryActivityPub = iota
AccessTokenScopeCategoryAdmin AccessTokenScopeCategoryAdmin
AccessTokenScopeCategoryMisc AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
AccessTokenScopeCategoryNotification AccessTokenScopeCategoryNotification
AccessTokenScopeCategoryOrganization AccessTokenScopeCategoryOrganization
AccessTokenScopeCategoryPackage AccessTokenScopeCategoryPackage

View File

@ -757,7 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route {
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
} }
// Misc (requires 'misc' scope) // Misc (public accessible)
m.Group("", func() { m.Group("", func() {
m.Get("/version", misc.Version) m.Get("/version", misc.Version)
m.Get("/signing-key.gpg", misc.SigningKey) m.Get("/signing-key.gpg", misc.SigningKey)
@ -777,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/attachment", settings.GetGeneralAttachmentSettings) m.Get("/attachment", settings.GetGeneralAttachmentSettings)
m.Get("/repository", settings.GetGeneralRepoSettings) m.Get("/repository", settings.GetGeneralRepoSettings)
}) })
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) })
// Notifications (requires 'notifications' scope) // Notifications (requires 'notifications' scope)
m.Group("/notifications", func() { m.Group("/notifications", func() {

View File

@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
}, },
}, },
}, },
{
"/api/v1/markdown",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/markdown/raw",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{ {
"/api/v1/notifications", "/api/v1/notifications",
"GET", "GET",
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
}, },
}, },
}, },
{
"/api/v1/settings/api",
"GET",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Read,
},
},
},
{ {
"/api/v1/user", "/api/v1/user",
"GET", "GET",