mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-26 17:34:11 -05:00
[GITEA] do not enforce misc scope tokens for public API endpoints
(cherry picked from commit e353d1c4b7
)
This commit is contained in:
parent
f255e50903
commit
666f43fb64
3 changed files with 13 additions and 32 deletions
|
@ -757,7 +757,6 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
|
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Misc (requires 'misc' scope)
|
|
||||||
m.Group("", func() {
|
m.Group("", func() {
|
||||||
m.Get("/version", misc.Version)
|
m.Get("/version", misc.Version)
|
||||||
m.Get("/signing-key.gpg", misc.SigningKey)
|
m.Get("/signing-key.gpg", misc.SigningKey)
|
||||||
|
@ -777,7 +776,7 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
|
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
|
||||||
m.Get("/repository", settings.GetGeneralRepoSettings)
|
m.Get("/repository", settings.GetGeneralRepoSettings)
|
||||||
})
|
})
|
||||||
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
|
})
|
||||||
|
|
||||||
// Notifications (requires 'notifications' scope)
|
// Notifications (requires 'notifications' scope)
|
||||||
m.Group("/notifications", func() {
|
m.Group("/notifications", func() {
|
||||||
|
|
|
@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"/api/v1/markdown",
|
|
||||||
"POST",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Write,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"/api/v1/markdown/raw",
|
|
||||||
"POST",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Write,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"/api/v1/notifications",
|
"/api/v1/notifications",
|
||||||
"GET",
|
"GET",
|
||||||
|
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"/api/v1/settings/api",
|
|
||||||
"GET",
|
|
||||||
[]permission{
|
|
||||||
{
|
|
||||||
auth_model.AccessTokenScopeCategoryMisc,
|
|
||||||
auth_model.Read,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"/api/v1/user",
|
"/api/v1/user",
|
||||||
"GET",
|
"GET",
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
auth_model "code.gitea.io/gitea/models/auth"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/structs"
|
"code.gitea.io/gitea/modules/structs"
|
||||||
"code.gitea.io/gitea/tests"
|
"code.gitea.io/gitea/tests"
|
||||||
|
@ -24,4 +25,15 @@ func TestVersion(t *testing.T) {
|
||||||
var version structs.ServerVersion
|
var version structs.ServerVersion
|
||||||
DecodeJSON(t, resp, &version)
|
DecodeJSON(t, resp, &version)
|
||||||
assert.Equal(t, setting.AppVer, version.Version)
|
assert.Equal(t, setting.AppVer, version.Version)
|
||||||
|
|
||||||
|
// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
|
||||||
|
{
|
||||||
|
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
|
||||||
|
req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
|
||||||
|
resp := MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
|
var version structs.ServerVersion
|
||||||
|
DecodeJSON(t, resp, &version)
|
||||||
|
assert.Equal(t, setting.AppVer, version.Version)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue