-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require repo scope for PATs for private repos and basic authentication #24362
Conversation
jolheiser
commented
Apr 26, 2023
Signed-off-by: jolheiser <[email protected]>
} | ||
|
||
var err error | ||
scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If no test covers it, it is very fragile.
Maybe next refactoring changes the key "ApiTokenScope", then this "check" will become a noop, the accesses just pass it.
Signed-off-by: jolheiser <[email protected]>
Signed-off-by: jolheiser <[email protected]>
go-gitea#24362) > The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. --------- Signed-off-by: jolheiser <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
#24362) (#24364) Backport #24362 by @jolheiser > The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. Signed-off-by: jolheiser <[email protected]> Co-authored-by: John Olheiser <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
This PR breaks my LFS client. Reverting these 2 "lfs/*.go" files , then my client works again. The error logs:
|
@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) { | |||
return | |||
} | |||
|
|||
repository := getAuthenticatedRepository(ctx, rc, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DownloadHandler: getAuthenticatedRepository(requireWrite=true) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This lines should be removed.
* giteaofficial/main: (26 commits) Refactor docs (go-gitea#23752) Fix layouts of admin table / adapt repo / email test (go-gitea#24370) Move secrets and runners settings to actions settings (go-gitea#24200) Gitea Actions add `base_ref`, `head_ref`, `api_url`, `ref_type` fields (go-gitea#24356) Fix auth check bug (go-gitea#24382) Display 'Unknown' when runner.version is empty (go-gitea#24378) Fix incorrect last online time in runner_edit.tmpl (go-gitea#24376) Refactor "route" related code, fix Safari cookie bug (go-gitea#24330) Add custom helm repo name generated from url (go-gitea#24363) Add API for gitignore templates (go-gitea#22783) Add eslint-plugin-regexp (go-gitea#24361) Support uploading file to empty repo by API (go-gitea#24357) [skip ci] Updated translations via Crowdin Require repo scope for PATs for private repos and basic authentication (go-gitea#24362) Alert error message if open dependencies are included in the issues that try to batch close (go-gitea#24329) Fix 404 error when leaving the last private org team (go-gitea#24322) Modify width of ui container, fine tune css for settings pages and org header (go-gitea#24315) Add .livemd as a markdown extension (go-gitea#22730) Display when a repo was archived (go-gitea#22664) Fix wrong error info in RepoRefForAPI (go-gitea#24344) ...
Caused by #24362 Co-authored-by: Giteabot <[email protected]>
Caused by go-gitea#24362 Co-authored-by: Giteabot <[email protected]>
Backport #25019 by @lunny Caused by #24362 Co-authored-by: Lunny Xiao <[email protected]> Co-authored-by: John Olheiser <[email protected]>
…a#25027) Backport go-gitea#25019 by @lunny Caused by go-gitea#24362 Co-authored-by: Lunny Xiao <[email protected]> Co-authored-by: John Olheiser <[email protected]> (cherry picked from commit 73ae6b2)