Merge pull request '[GITEA] do not enforce misc scope tokens for public API endpoints' (#1100) from dachary/forgejo:wip-v1.20-api-public into v1.20/forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1100
This commit is contained in:
Loïc Dachary 2023-07-23 21:19:22 +00:00
commit 1ceadbbfda
3 changed files with 13 additions and 32 deletions

View file

@ -757,7 +757,6 @@ func Routes(ctx gocontext.Context) *web.Route {
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
}
// Misc (requires 'misc' scope)
m.Group("", func() {
m.Get("/version", misc.Version)
m.Get("/signing-key.gpg", misc.SigningKey)
@ -777,7 +776,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/attachment", settings.GetGeneralAttachmentSettings)
m.Get("/repository", settings.GetGeneralRepoSettings)
})
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
})
// Notifications (requires 'notifications' scope)
m.Group("/notifications", func() {

View file

@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
{
"/api/v1/markdown",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/markdown/raw",
"POST",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Write,
},
},
},
{
"/api/v1/notifications",
"GET",
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
},
},
},
{
"/api/v1/settings/api",
"GET",
[]permission{
{
auth_model.AccessTokenScopeCategoryMisc,
auth_model.Read,
},
},
},
{
"/api/v1/user",
"GET",

View file

@ -7,6 +7,7 @@ import (
"net/http"
"testing"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
@ -24,4 +25,15 @@ func TestVersion(t *testing.T) {
var version structs.ServerVersion
DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version)
// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
{
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
resp := MakeRequest(t, req, http.StatusOK)
var version structs.ServerVersion
DecodeJSON(t, resp, &version)
assert.Equal(t, setting.AppVer, version.Version)
}
}