From bbc3426c532be36cdfc4b05cac6f30e7e1ab337f Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Wed, 26 Jul 2023 13:51:06 +0200 Subject: [PATCH] Revert "[GITEA] do not enforce misc scope tokens for public API endpoints" This reverts commit 666f43fb64e9f3529c54311a94637fa9751b812d. --- routers/api/v1/api.go | 3 ++- tests/integration/api_token_test.go | 30 +++++++++++++++++++++++++++++ tests/integration/version_test.go | 12 ------------ 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 40c252f0c5..073b1e82ef 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -757,6 +757,7 @@ func Routes(ctx gocontext.Context) *web.Route { }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub)) } + // Misc (requires 'misc' scope) m.Group("", func() { m.Get("/version", misc.Version) m.Get("/signing-key.gpg", misc.SigningKey) @@ -776,7 +777,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Get("/attachment", settings.GetGeneralAttachmentSettings) m.Get("/repository", settings.GetGeneralRepoSettings) }) - }) + }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc)) // Notifications (requires 'notifications' scope) m.Group("/notifications", func() { diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go index 1c63d07f22..419884d45e 100644 --- a/tests/integration/api_token_test.go +++ b/tests/integration/api_token_test.go @@ -141,6 +141,26 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, + { + "/api/v1/markdown", + "POST", + []permission{ + { + auth_model.AccessTokenScopeCategoryMisc, + auth_model.Write, + }, + }, + }, + { + "/api/v1/markdown/raw", + "POST", + []permission{ + { + auth_model.AccessTokenScopeCategoryMisc, + auth_model.Write, + }, + }, + }, { "/api/v1/notifications", "GET", @@ -327,6 +347,16 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) { }, }, }, + { + "/api/v1/settings/api", + "GET", + []permission{ + { + auth_model.AccessTokenScopeCategoryMisc, + auth_model.Read, + }, + }, + }, { "/api/v1/user", "GET", diff --git a/tests/integration/version_test.go b/tests/integration/version_test.go index 137d18951d..a6ae649b40 100644 --- a/tests/integration/version_test.go +++ b/tests/integration/version_test.go @@ -7,7 +7,6 @@ import ( "net/http" "testing" - auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/tests" @@ -25,15 +24,4 @@ func TestVersion(t *testing.T) { var version structs.ServerVersion DecodeJSON(t, resp, &version) assert.Equal(t, setting.AppVer, version.Version) - - // Verify https://codeberg.org/forgejo/forgejo/pulls/1098 is fixed - { - token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadActivityPub) - req := NewRequestf(t, "GET", "/api/v1/version?token=%s", token) - resp := MakeRequest(t, req, http.StatusOK) - - var version structs.ServerVersion - DecodeJSON(t, resp, &version) - assert.Equal(t, setting.AppVer, version.Version) - } }