From df5200e814d62880dc5f46b8036e844b89889717 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Wed, 26 Jul 2023 01:32:41 -0400 Subject: [PATCH] Remove "misc" scope check from public API endpoints (#26134) (#26149) Backport #26134 by @wxiaoguang Fix #26035 Co-authored-by: wxiaoguang (cherry picked from commit a8445e93204ab91065c45223bf5d4f7e06578549) --- .../development/oauth2-provider.en-us.md | 60 +++++++++---------- models/auth/token_scope.go | 2 +- routers/api/v1/api.go | 4 +- tests/integration/api_token_test.go | 30 ---------- 4 files changed, 33 insertions(+), 63 deletions(-) diff --git a/docs/content/development/oauth2-provider.en-us.md b/docs/content/development/oauth2-provider.en-us.md index 11e995f0de..b3824f4b2e 100644 --- a/docs/content/development/oauth2-provider.en-us.md +++ b/docs/content/development/oauth2-provider.en-us.md @@ -47,36 +47,36 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t Gitea token scopes are as follows: -| Name | Description | -| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------| -| **(no scope)** | Not supported. A scope is required even for public repositories. | -| **activitypub** | `activitypub` API routes: ActivityPub related operations. | -|     **read:activitypub** | Grants read access for ActivityPub operations. | -|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | -| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | -|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | -|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | | -| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | -|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | -|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | -| **misc** | miscellaneous and settings top-level API routes. | -|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. | -|     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. | -| **notification** | `notification/*` API routes: user notification operations. | -|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | -|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | -| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | -|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | -|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | -| **package** | `/packages/*` API routes: Packages operations | -|     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | -|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | -| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | -|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | -|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | -| **user** | `/user/*` and `/users/*` API routes: User-related operations. | -|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | -|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | +| Name | Description | +| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------| +| **(no scope)** | Not supported. A scope is required even for public repositories. | +| **activitypub** | `activitypub` API routes: ActivityPub related operations. | +|     **read:activitypub** | Grants read access for ActivityPub operations. | +|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | +| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | +|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | +|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | +| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | +|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | +|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | +| **misc** | Reserved for future usage. | +|     **read:misc** | Reserved for future usage. | +|     **write:misc** | Reserved for future usage. | +| **notification** | `notification/*` API routes: user notification operations. | +|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | +|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | +| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | +|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | +|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | +| **package** | `/packages/*` API routes: Packages operations | +|     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | +|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | +| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | +|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | +|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | +| **user** | `/user/*` and `/users/*` API routes: User-related operations. | +|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | +|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | ## Client types diff --git a/models/auth/token_scope.go b/models/auth/token_scope.go index 19d512dad4..003ca5c9ab 100644 --- a/models/auth/token_scope.go +++ b/models/auth/token_scope.go @@ -16,7 +16,7 @@ type AccessTokenScopeCategory int const ( AccessTokenScopeCategoryActivityPub = iota AccessTokenScopeCategoryAdmin - AccessTokenScopeCategoryMisc + AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values AccessTokenScopeCategoryNotification AccessTokenScopeCategoryOrganization AccessTokenScopeCategoryPackage diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 073b1e82ef..9d06ce524d 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -757,7 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route { }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) } - // Misc (requires 'misc' scope) + // Misc (public accessible) m.Group("", func() { m.Get("/version", misc.Version) m.Get("/signing-key.gpg", misc.SigningKey) @@ -777,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Get("/attachment", settings.GetGeneralAttachmentSettings) m.Get("/repository", settings.GetGeneralRepoSettings) }) - }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) + }) // Notifications (requires 'notifications' scope) m.Group("/notifications", func() { diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go index 419884d45e..1c63d07f22 100644 --- a/tests/integration/api_token_test.go +++ b/tests/integration/api_token_test.go @@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, - { - "/api/v1/markdown", - "POST", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Write, - }, - }, - }, - { - "/api/v1/markdown/raw", - "POST", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Write, - }, - }, - }, { "/api/v1/notifications", "GET", @@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, - { - "/api/v1/settings/api", - "GET", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Read, - }, - }, - }, { "/api/v1/user", "GET",