fedi/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-15 02:45:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

[GITEA] do not enforce misc scope tokens for public API endpoints

Browse source 
(cherry picked from commit e353d1c4b7)
This commit is contained in:
Loïc Dachary 2023-07-23 21:52:33 +02:00
parent f255e50903
commit 666f43fb64
No known key found for this signature in database
GPG key ID: 992D23B392F9E4F2
3 changed files with 13 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
routers/api/v1/api.go
View file

@ -757,7 +757,6 @@ func Routes(ctx gocontext.Context) *web.Route {
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
} }
// Misc (requires 'misc' scope)
m.Group("", func() { m.Group("", func() {
m.Get("/version", misc.Version) m.Get("/version", misc.Version)
m.Get("/signing-key.gpg", misc.SigningKey) m.Get("/signing-key.gpg", misc.SigningKey)
@ -777,7 +776,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/attachment", settings.GetGeneralAttachmentSettings) m.Get("/attachment", settings.GetGeneralAttachmentSettings)
m.Get("/repository", settings.GetGeneralRepoSettings) m.Get("/repository", settings.GetGeneralRepoSettings)
}) })
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) })
// Notifications (requires 'notifications' scope) // Notifications (requires 'notifications' scope)
m.Group("/notifications", func() { m.Group("/notifications", func() {

30
tests/integration/api_token_test.go
View file

@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
}, },
}, },
}, },
{
"/api/v1/markdown",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/markdown/raw",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{ {
"/api/v1/notifications", "/api/v1/notifications",
"GET", "GET",
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
}, },
}, },
}, },
{
"/api/v1/settings/api",
"GET",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Read,
},
},
},
{ {
"/api/v1/user", "/api/v1/user",
"GET", "GET",

12
tests/integration/version_test.go
View file

@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"testing" "testing"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests" "code.gitea.io/gitea/tests"
@ -24,4 +25,15 @@ func TestVersion(t *testing.T) {
var version structs.ServerVersion var version structs.ServerVersion
DecodeJSON(t, resp, &version) DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version) assert.Equal(t, setting.AppVer, version.Version)
// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
{
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
resp := MakeRequest(t, req, http.StatusOK)
var version structs.ServerVersion
DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version)
}
} }