Merge pull request '[DOCS] RELEASE-NOTES: add scoped access tokens' (#454) from earl-warren/forgejo:wip-token-scope into forgejo-development

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/454
This commit is contained in:
Earl Warren 2023-02-28 00:03:14 +00:00
commit 28fab82302

View file

@ -17,6 +17,59 @@ $ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/fo
### Breaking changes ### Breaking changes
#### [Support scoped access tokens](https://codeberg.org/forgejo/forgejo/commit/de484e86bc)
Forgejo access token, used with the
[API](https://forgejo.org/docs/admin/api-usage/) can now have a
"scope" that limits what it can access. Existing tokens stored in
the database and created before Forgejo v1.19 had unlimited access.
For backward compatibility, their access will remain the same and they
will continue to work as before.
However, **newly created token that do not specify a scope will now only
have read-only access to public user profile and public repositories**.
For instance, the `/users/{username}/tokens` API endpoint will require
the `scopes: ['all', 'sudo']` parameter and the `forgejo admin user
generate-access-token` will require the `--scopes all,sudo` argument
obtain tokens with ulimited access as before for admin users.
The the following scopes are supported:
| Name | Description |
| ---- | ----------- |
| **(no scope)** | Grants read-only access to public user profile and public repositories. |
| **repo** | Full control over all repositories. |
|     **repo:status** | Grants read/write access to commit status in all repositories. |
|     **public_repo** | Grants read/write access to public repositories only. |
| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
|     **write:repo_hook** | Grants read/write access to repository hooks |
|     **read:repo_hook** | Grants read-only access to repository hooks |
| **admin:org** | Grants full access to organization settings |
|     **write:org** | Grants read/write access to organization settings |
|     **read:org** | Grants read-only access to organization settings |
| **admin:public_key** | Grants full access for managing public keys |
|     **write:public_key** | Grant read/write access to public keys |
|     **read:public_key** | Grant read-only access to public keys |
| **admin:org_hook** | Grants full access to organizational-level hooks |
| **notification** | Grants full access to notifications |
| **user** | Grants full access to user profile info |
|     **read:user** | Grants read access to user's profile |
|     **user:email** | Grants read access to user's email addresses |
|     **user:follow** | Grants access to follow/un-follow a user |
| **delete_repo** | Grants access to delete repositories as an admin |
| **package** | Grants full access to hosted packages |
|     **write:package** | Grants read/write access to packages |
|     **read:package** | Grants read access to packages |
|     **delete:package** | Grants delete access to packages |
| **admin:gpg_key** | Grants full access for managing GPG keys |
|     **write:gpg_key** | Grants read/write access to GPG keys |
|     **read:gpg_key** | Grants read-only access to GPG keys |
| **admin:application** | Grants full access to manage applications |
|     **write:application** | Grants read/write access for managing applications |
|     **read:application** | Grants read access for managing applications |
| **sudo** | Allows to perform actions as the site admin. |
#### [Repositories: by default disable all units except code and pulls on forks](https://codeberg.org/forgejo/forgejo/commit/2741546be) #### [Repositories: by default disable all units except code and pulls on forks](https://codeberg.org/forgejo/forgejo/commit/2741546be)
When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure `DEFAULT_FORK_REPO_UNITS` to be the same value as `DEFAULT_REPO_UNITS`. When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure `DEFAULT_FORK_REPO_UNITS` to be the same value as `DEFAULT_REPO_UNITS`.
@ -67,7 +120,6 @@ Any webhook can now specify an `Authorization` header to be sent along every req
#### [Scoped labels](https://codeberg.org/forgejo/forgejo/commit/6221a6fd5) #### [Scoped labels](https://codeberg.org/forgejo/forgejo/commit/6221a6fd5)
* (description) * (description)
* [Allow setting access token scope by CLI](https://codeberg.org/forgejo/forgejo/commit/3f2e72137)
#### [Support org/user level projects](https://codeberg.org/forgejo/forgejo/commit/6fe3c8b39) #### [Support org/user level projects](https://codeberg.org/forgejo/forgejo/commit/6fe3c8b39)