mirror of
1
Fork 0

Revert "[GITEA] do not enforce misc scope tokens for public API endpoints"

This reverts commit 666f43fb64.
This commit is contained in:
Earl Warren 2023-07-26 13:51:06 +02:00
parent 7099ef15b6
commit bbc3426c53
No known key found for this signature in database
GPG Key ID: 0579CB2928A78A00
3 changed files with 32 additions and 13 deletions

View File

@ -757,6 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route {
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
}
// Misc (requires 'misc' scope)
m.Group("", func() {
m.Get("/version", misc.Version)
m.Get("/signing-key.gpg", misc.SigningKey)
@ -776,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
m.Get("/repository", settings.GetGeneralRepoSettings)
})
})
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
// Notifications (requires 'notifications' scope)
m.Group("/notifications", func() {

View File

@ -141,6 +141,26 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
{
"/api/v1/markdown",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/markdown/raw",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/notifications",
"GET",
@ -327,6 +347,16 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
{
"/api/v1/settings/api",
"GET",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Read,
},
},
},
{
"/api/v1/user",
"GET",

View File

@ -7,7 +7,6 @@ import (
"net/http"
"testing"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
@ -25,15 +24,4 @@ func TestVersion(t *testing.T) {
var version structs.ServerVersion
DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version)
// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
{
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
resp := MakeRequest(t, req, http.StatusOK)
var version structs.ServerVersion
DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version)
}
}