Revert "[GITEA] do not enforce misc scope tokens for public API endpoints"

This reverts commit 666f43fb64.
2023-07-26 13:51:06 +02:00 · 2023-07-26 13:51:06 +02:00 · bbc3426c53
parent 7099ef15b6
commit bbc3426c53
3 changed files with 32 additions and 13 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -757,6 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}

+		// Misc (requires 'misc' scope)
 		m.Group("", func() {
 			m.Get("/version", misc.Version)
 			m.Get("/signing-key.gpg", misc.SigningKey)
@ -776,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 				m.Get("/attachment", settings.GetGeneralAttachmentSettings)
 				m.Get("/repository", settings.GetGeneralRepoSettings)
 			})
-		})
+		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))

 		// Notifications (requires 'notifications' scope)
 		m.Group("/notifications", func() {
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@ -141,6 +141,26 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
+		{
+			"/api/v1/markdown",
+			"POST",
+			[]permission{
+				{
+					auth_model.AccessTokenScopeCategoryMisc,
+					auth_model.Write,
+				},
+			},
+		},
+		{
+			"/api/v1/markdown/raw",
+			"POST",
+			[]permission{
+				{
+					auth_model.AccessTokenScopeCategoryMisc,
+					auth_model.Write,
+				},
+			},
+		},
 		{
 			"/api/v1/notifications",
 			"GET",
@ -327,6 +347,16 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
+		{
+			"/api/v1/settings/api",
+			"GET",
+			[]permission{
+				{
+					auth_model.AccessTokenScopeCategoryMisc,
+					auth_model.Read,
+				},
+			},
+		},
 		{
 			"/api/v1/user",
 			"GET",
--- a/tests/integration/version_test.go
+++ b/tests/integration/version_test.go
@ -7,7 +7,6 @@ import (
 	"net/http"
 	"testing"

-	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"
@ -25,15 +24,4 @@ func TestVersion(t *testing.T) {
 	var version structs.ServerVersion
 	DecodeJSON(t, resp, &version)
 	assert.Equal(t, setting.AppVer, version.Version)
-
-	// Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed
-	{
-		token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub)
-		req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token)
-		resp := MakeRequest(t, req, http.StatusOK)
-
-		var version structs.ServerVersion
-		DecodeJSON(t, resp, &version)
-		assert.Equal(t, setting.AppVer, version.Version)
-	}
 }