From 666f43fb64e9f3529c54311a94637fa9751b812d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 23 Jul 2023 21:52:33 +0200 Subject: [PATCH] [GITEA] do not enforce misc scope tokens for public API endpoints (cherry picked from commit e353d1c4b7c11e84131c7c777d25c0d7b96564b2) --- routers/api/v1/api.go | 3 +-- tests/integration/api_token_test.go | 30 ----------------------------- tests/integration/version_test.go | 12 ++++++++++++ 3 files changed, 13 insertions(+), 32 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 073b1e82ef..40c252f0c5 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -757,7 +757,6 @@ func Routes(ctx gocontext.Context) *web.Route { }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) } - // Misc (requires 'misc' scope) m.Group("", func() { m.Get("/version", misc.Version) m.Get("/signing-key.gpg", misc.SigningKey) @@ -777,7 +776,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Get("/attachment", settings.GetGeneralAttachmentSettings) m.Get("/repository", settings.GetGeneralRepoSettings) }) - }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) + }) // Notifications (requires 'notifications' scope) m.Group("/notifications", func() { diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go index 419884d45e..1c63d07f22 100644 --- a/tests/integration/api_token_test.go +++ b/tests/integration/api_token_test.go @@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, - { - "/api/v1/markdown", - "POST", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Write, - }, - }, - }, - { - "/api/v1/markdown/raw", - "POST", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Write, - }, - }, - }, { "/api/v1/notifications", "GET", @@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, - { - "/api/v1/settings/api", - "GET", - []permission{ - { - auth_model.AccessTokenScopeCategoryMisc, - auth_model.Read, - }, - }, - }, { "/api/v1/user", "GET", diff --git a/tests/integration/version_test.go b/tests/integration/version_test.go index a6ae649b40..137d18951d 100644 --- a/tests/integration/version_test.go +++ b/tests/integration/version_test.go @@ -7,6 +7,7 @@ import ( "net/http" "testing" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/tests" @@ -24,4 +25,15 @@ func TestVersion(t *testing.T) { var version structs.ServerVersion DecodeJSON(t, resp, &version) assert.Equal(t, setting.AppVer, version.Version) + + // Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed + { + token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub) + req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token) + resp := MakeRequest(t, req, http.StatusOK) + + var version structs.ServerVersion + DecodeJSON(t, resp, &version) + assert.Equal(t, setting.AppVer, version.Version) + } }