From 688f831853ef179d511cc7594dd23cc46ccef654 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Mon, 27 Feb 2023 22:19:29 +0100 Subject: [PATCH] [DOCS] RELEASE-NOTES: add scoped access tokens --- RELEASE-NOTES.md | 54 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index aef968fdd5..b94fa2eb5f 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -17,6 +17,59 @@ $ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/fo ### Breaking changes +#### [Support scoped access tokens](https://codeberg.org/forgejo/forgejo/commit/de484e86bc) + +Forgejo access token, used with the +[API](https://forgejo.org/docs/admin/api-usage/) can now have a +"scope" that limits what it can access. Existing tokens stored in +the database and created before Forgejo v1.19 had unlimited access. +For backward compatibility, their access will remain the same and they +will continue to work as before. + +However, **newly created token that do not specify a scope will now only +have read-only access to public user profile and public repositories**. + +For instance, the `/users/{username}/tokens` API endpoint will require +the `scopes: ['all', 'sudo']` parameter and the `forgejo admin user +generate-access-token` will require the `--scopes all,sudo` argument +obtain tokens with ulimited access as before for admin users. + +The the following scopes are supported: + +| Name | Description | +| ---- | ----------- | +| **(no scope)** | Grants read-only access to public user profile and public repositories. | +| **repo** | Full control over all repositories. | +|     **repo:status** | Grants read/write access to commit status in all repositories. | +|     **public_repo** | Grants read/write access to public repositories only. | +| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. | +|     **write:repo_hook** | Grants read/write access to repository hooks | +|     **read:repo_hook** | Grants read-only access to repository hooks | +| **admin:org** | Grants full access to organization settings | +|     **write:org** | Grants read/write access to organization settings | +|     **read:org** | Grants read-only access to organization settings | +| **admin:public_key** | Grants full access for managing public keys | +|     **write:public_key** | Grant read/write access to public keys | +|     **read:public_key** | Grant read-only access to public keys | +| **admin:org_hook** | Grants full access to organizational-level hooks | +| **notification** | Grants full access to notifications | +| **user** | Grants full access to user profile info | +|     **read:user** | Grants read access to user's profile | +|     **user:email** | Grants read access to user's email addresses | +|     **user:follow** | Grants access to follow/un-follow a user | +| **delete_repo** | Grants access to delete repositories as an admin | +| **package** | Grants full access to hosted packages | +|     **write:package** | Grants read/write access to packages | +|     **read:package** | Grants read access to packages | +|     **delete:package** | Grants delete access to packages | +| **admin:gpg_key** | Grants full access for managing GPG keys | +|     **write:gpg_key** | Grants read/write access to GPG keys | +|     **read:gpg_key** | Grants read-only access to GPG keys | +| **admin:application** | Grants full access to manage applications | +|     **write:application** | Grants read/write access for managing applications | +|     **read:application** | Grants read access for managing applications | +| **sudo** | Allows to perform actions as the site admin. | + #### [Repositories: by default disable all units except code and pulls on forks](https://codeberg.org/forgejo/forgejo/commit/2741546be) When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure `DEFAULT_FORK_REPO_UNITS` to be the same value as `DEFAULT_REPO_UNITS`. @@ -67,7 +120,6 @@ Any webhook can now specify an `Authorization` header to be sent along every req #### [Scoped labels](https://codeberg.org/forgejo/forgejo/commit/6221a6fd5) * (description) -* [Allow setting access token scope by CLI](https://codeberg.org/forgejo/forgejo/commit/3f2e72137) #### [Support org/user level projects](https://codeberg.org/forgejo/forgejo/commit/6fe3c8b39)