oppi.li / perf-test
loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Remove "misc" scope check from public API endpoints (#26134)

Fix #26035

authored by

wxiaoguang and committed by
GitHub 915cdf8f 9ed3700a

+33 -63
+30 -30
docs/content/doc/development/oauth2-provider.en-us.md
··· 51 51 52 52 Gitea token scopes are as follows: 53 53 54 - | Name | Description | 55 - | ---- |--------------------------------------------------------------------------------------------------------------------------------------------------| 56 - | **(no scope)** | Not supported. A scope is required even for public repositories. | 57 - | **activitypub** | `activitypub` API routes: ActivityPub related operations. | 58 - |     **read:activitypub** | Grants read access for ActivityPub operations. | 59 - |     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | 60 - | **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | 61 - |     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | 62 - |     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | | 63 - | **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | 64 - |     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | 65 - |     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | 66 - | **misc** | miscellaneous and settings top-level API routes. | 67 - |     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. | 68 - |     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. | 69 - | **notification** | `notification/*` API routes: user notification operations. | 70 - |     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | 71 - |     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | 72 - | **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | 73 - |     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | 74 - |     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | 75 - | **package** | `/packages/*` API routes: Packages operations | 76 - |     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | 77 - |     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | 78 - | **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | 79 - |     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | 80 - |     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | 81 - | **user** | `/user/*` and `/users/*` API routes: User-related operations. | 82 - |     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | 83 - |     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | 54 + | Name | Description | 55 + | ---- |------------------------------------------------------------------------------------------------------------------------------------------------------| 56 + | **(no scope)** | Not supported. A scope is required even for public repositories. | 57 + | **activitypub** | `activitypub` API routes: ActivityPub related operations. | 58 + |     **read:activitypub** | Grants read access for ActivityPub operations. | 59 + |     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | 60 + | **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | 61 + |     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | 62 + |     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | 63 + | **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | 64 + |     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | 65 + |     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | 66 + | **misc** | Reserved for future usage. | 67 + |     **read:misc** | Reserved for future usage. | 68 + |     **write:misc** | Reserved for future usage. | 69 + | **notification** | `notification/*` API routes: user notification operations. | 70 + |     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | 71 + |     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | 72 + | **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | 73 + |     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | 74 + |     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | 75 + | **package** | `/packages/*` API routes: Packages operations | 76 + |     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | 77 + |     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | 78 + | **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | 79 + |     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | 80 + |     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | 81 + | **user** | `/user/*` and `/users/*` API routes: User-related operations. | 82 + |     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | 83 + |     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | 84 84 85 85 ## Client types 86 86
+1 -1
models/auth/token_scope.go
··· 16 16 const ( 17 17 AccessTokenScopeCategoryActivityPub = iota 18 18 AccessTokenScopeCategoryAdmin 19 - AccessTokenScopeCategoryMisc 19 + AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values 20 20 AccessTokenScopeCategoryNotification 21 21 AccessTokenScopeCategoryOrganization 22 22 AccessTokenScopeCategoryPackage
+2 -2
routers/api/v1/api.go
··· 751 751 }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) 752 752 } 753 753 754 - // Misc (requires 'misc' scope) 754 + // Misc (public accessible) 755 755 m.Group("", func() { 756 756 m.Get("/version", misc.Version) 757 757 m.Get("/signing-key.gpg", misc.SigningKey) ··· 771 771 m.Get("/attachment", settings.GetGeneralAttachmentSettings) 772 772 m.Get("/repository", settings.GetGeneralRepoSettings) 773 773 }) 774 - }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) 774 + }) 775 775 776 776 // Notifications (requires 'notifications' scope) 777 777 m.Group("/notifications", func() {
-30
tests/integration/api_token_test.go
··· 142 142 }, 143 143 }, 144 144 { 145 - "/api/v1/markdown", 146 - "POST", 147 - []permission{ 148 - { 149 - auth_model.AccessTokenScopeCategoryMisc, 150 - auth_model.Write, 151 - }, 152 - }, 153 - }, 154 - { 155 - "/api/v1/markdown/raw", 156 - "POST", 157 - []permission{ 158 - { 159 - auth_model.AccessTokenScopeCategoryMisc, 160 - auth_model.Write, 161 - }, 162 - }, 163 - }, 164 - { 165 145 "/api/v1/notifications", 166 146 "GET", 167 147 []permission{ ··· 343 323 []permission{ 344 324 { 345 325 auth_model.AccessTokenScopeCategoryRepository, 346 - auth_model.Read, 347 - }, 348 - }, 349 - }, 350 - { 351 - "/api/v1/settings/api", 352 - "GET", 353 - []permission{ 354 - { 355 - auth_model.AccessTokenScopeCategoryMisc, 356 326 auth_model.Read, 357 327 }, 358 328 },