[GITEA] do not enforce misc scope tokens for public API endpoints

2024-10-31 22:38:58 +00:00 · 2023-07-23 21:52:33 +02:00 · 2023-07-23 21:52:33 +02:00 · e353d1c4b7
commit e353d1c4b7
parent ec9b2c47db
3 changed files with 13 additions and 32 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -751,7 +751,6 @@ func Routes() *web.Route {
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}

-		// Misc (requires 'misc' scope)
 		m.Group("", func() {
 			m.Get("/version", misc.Version)
 			m.Get("/signing-key.gpg", misc.SigningKey)
@ -771,7 +770,7 @@ func Routes() *web.Route {
 				m.Get("/attachment", settings.GetGeneralAttachmentSettings)
 				m.Get("/repository", settings.GetGeneralRepoSettings)
 			})
-		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
+		})

 		// Notifications (requires 'notifications' scope)
 		m.Group("/notifications", func() {
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/markdown",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
-		{
-			"/api/v1/markdown/raw",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
 		{
 			"/api/v1/notifications",
 			"GET",
@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/settings/api",
-			"GET",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Read,
-				},
-			},
-		},
 		{
 			"/api/v1/user",
 			"GET",
--- a/tests/integration/version_test.go
+++ b/tests/integration/version_test.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"testing"

+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"
@ -24,4 +25,15 @@ func TestVersion(t *testing.T) {
 	var version structs.ServerVersion
 	DecodeJSON(t, resp, &version)
 	assert.Equal(t, setting.AppVer, version.Version)
+
+	// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
+	{
+		token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
+		req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		var version structs.ServerVersion
+		DecodeJSON(t, resp, &version)
+		assert.Equal(t, setting.AppVer, version.Version)
+	}
 }