An unknown error occurred on repository setting page (access to global secrets)

[zc-devs]

Component

server, web-ui

Describe the bug

1. Optional: Activate a repo in Woodpecker
2. Open repository without secrets
3. Go to settings page, General tab
4. Get error

An unknown error occurred
index-yc-Su7Fu.js:25 
GET https://woodpecker.test.smthd.com/api/secrets?page=1 403 (Forbidden)

There are two requests to the secrets?page=1: one with HTTP 200, another HTTP 403.

---

If there is at least one secret, then there is no error and only one request to the secrets?page=1 with HTTP 200.

System Info

next-acec955943

Additional context

No response

Validations

• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• Check that this is a concrete bug. For Q&A join our Discord Chat Server or the Matrix room.

[qwerty287]

Is this from a user without admin permissions on the WP instance?

[zc-devs]

Yes, just general user.

[zc-devs]

On 2.1.1 if there is no one secret, then all is the same as on 2.0.

But now, even if there is one secret, error appears when page is scrolled down to the bottom:

Actually, maybe it was on 2.0 also and I didn't test scroll 🤔

[zc-devs]

There are two requests to the secrets?page=1: one with HTTP 200, another HTTP 403.

Corrections:

1. 200 is to /api/orgs/3/secrets?page=1
2. 403 is to /api/secrets?page=1, Get the global secret list
3. There are no global secrets on my instance at all, BTW
4. The same on Repository's Secrets page.

[anbraten]

Ahh, the issue is we query instance secrets to show if the user overrides them, but unfortunately we don't allow normal users to access that endpoint. Not sure why the org endpoint is failing your case. 🤔 Are you not an admin of your org?

[zc-devs]

Not sure why the org endpoint is failing your case

It was OK 200, I think. I just didn't look carefully inside, my bad.

^ there are
200 to api/repos/22/secrets?page=2
200 to api/orgs/3/secrets?page=1
403 to api/secrets?page=1

Are you not an admin of your org?

Don't know, if I wasn't, but now I am :)

we don't allow normal users to access that endpoint

Yeah. Seems, that's the cause.

[anbraten]

I am currently checking how to fix this one. We can either skip the api request in case the user is not an admin or we allow every user to get (read-only) the global secrets as they don't include the actual value and will be available in the pipeline anyway.

[qwerty287]

we allow every user to get (read-only) the global secrets as they don't include the actual value and will be available in the pipeline anyway.

I'd go with this way.