Failing to link repositories against Gitea with organisations set up

[PeterAlabaster]

Hi, first off, nice project! We are considering using woodpecker at our company as an alternative to drone.

I am having 2 issues, which I have not been able to find solutions for by following the documentation.

I believe both issues are solvable with config, of which the solution may be to update the documentation slightly (Would be nice to have a gitea specific env page). Happy to help in doing this.

Set up

• Our woodpecker instance is on the same network as our gitea, but in a different docker stack
• Most repositories on gitea exist under an organisation, let's say Organisation A
• Some repositories may exist outside of that organisation
• We have ~15 users under Organisation A
• One of these users is what we have labelled a robot user, which has typical robot perms on all repos under Organisation A
  • We have configured the woodpecker OAuth application under the robot user

Our configuration

# .env
DRONE_ADMIN=robot
DRONE_ORGS=<OurOrganisationNameInGitea>

DRONE_HOST=https://<our.woodpecker.instance>
DRONE_SECRET="<result from openssl rand -hex 32>"
DRONE_SERVER="woodpecker-server:9000"  # Keep this as is, it is referencing the compose file service name

DRONE_GITEA=true
DRONE_GITEA_CLIENT_ID="<client id as configured on the OAuth app on the robot user>"
DRONE_GITEA_CLIENT_SECRET="<secret as configured on the OAuth app on the robot user>"
DRONE_GITEA_URL=https://<our.gitea.instance> 

We just load the .env to both services in the docker-compose.yml

Issue 1 (Logging in to woodpecker as a user other than robot)

I am not sure if I have misunderstood, but I understand that you should be able to log in as any user from the VCS (in our case, gitea) via the woodpecker login page. When we try to do this, we get redirected to https://<our.woodpecker.instance>/login/error?code=access_denied. We tried using DRONE_ORGS=<OurOrganisationNameInGitea> which did not change anything, and DRONE_OPEN=true but this broke login even for the robot user for some reason.

Issue 2 (Activating repositories which exist under Organisation A)

If I create a repository in gitea under robot I can activate it with no issue on woodpecker.

However, if I have a repository which exists under Organisation A - We get a popup Failed to activate your repository message: "403 Forbidden"

Possibly related information

Every time I log into our woodpecker instance, a new Access Token gets added to the robot user, so things start looking like this very quickly:

Hopefully we've just missed something obvious. Thanks for your time!

[github-actions]

Looks like this is your first issue. Welcome to the community! 👋

[PeterAlabaster]

We just gave the robot user administrator permissions in Gitea, and it was resolved Issue 2 for us, however - we don't really want robot users having this permission if possible. It seems oddd as I thought the only permission it requires is webhook creation access.

[laszlocph]

Let me dig into this today.

[laszlocph]

Issue 0

Here is my Drone config I used in my tests.
Please note that the DRONE_GITEA_CLIENT_* variables are not needed as Woodpecker doesn't use OAuth to access Gitea. Instead, users can use their Gitea username and password on the Woodpecker login page.

DRONE_HOST=https://xxx
DRONE_SECRET=yyy

DRONE_GITEA=true
DRONE_GITEA_URL=https:/zzz
DRONE_OPEN=true
DRONE_ORGS=myorg
DRONE_ADMIN=laszlocph

Issue 1
The solution to the problem is setting DRONE_OPEN=true.
You can see it in https://github.com/laszlocph/woodpecker/blob/master/server/login.go#L74 how !config.Open && !config.IsAdmin(tmpuser) precedes the org membership check.

Issue 2
I was able to enable repos (both user and org repos) as the Drone admin, but not with other users. I consider this a bug as the repo permissions are simply not set in the gitea integration: https://github.com/laszlocph/woodpecker/blob/master/remote/gitea/helper.go#L40 while it is set for github: https://github.com/laszlocph/woodpecker/blob/master/remote/github/convert.go#L97

Workaround is to enable repos with the DRONE_ADMIN user.

Issue 3
The many accesstoken case.
There was Gitea SDK update on Woodpecker master what was not released. Using the latest code, the tokens are cleaned up: https://github.com/laszlocph/woodpecker/pull/121/files#diff-499f2a70701091061ee2b89aef2dcf28R148

Made a new release, grab these images: laszlocloud/woodpecker-agent:v0.11.0 and
laszlocloud/woodpecker-server:v0.11.0

Let me know if this helped, or if you see further problems.

[PeterAlabaster]

Thanks for the detailed reply

Issue 1
Adding DRONE_OPEN=true without DRONE_ORGS=<blah> and removing the DRONE_GITEA_CLIENT_* env vars has sorted issue 1 for us. We can now log in as any vcs user succesfully.
Issue 2
We will use the workaround for now, thanks for looking into it.
Issue 3
Your updated image has also solved the multiple token issue

Appreciate the help. I'll see if I can get round to creating a gitea set up page in the docs to consolidate this information when I next work on this

[laszlocph]

I'm happy it got you past the issues. 👍

[laszlocph]

Tracking the remaining issue here: #134

[helmut72]

Can't login in Woodpecker anymore with user/pass and Gitea when using Woodpecker after 0.11.0: 0.12.0, 0.13.0 and latest

My configuration:

      - DRONE_GITEA=true
      - DRONE_GITEA_URL=https://gitea.domain.com
      - DRONE_ADMIN=my_gitea_user

Thanks!