Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/api/v1/orgs has become an authenticated endpoint with 0.19 #24159

Closed
ianw opened this issue Apr 17, 2023 · 2 comments · Fixed by #24194
Closed

/api/v1/orgs has become an authenticated endpoint with 0.19 #24159

ianw opened this issue Apr 17, 2023 · 2 comments · Fixed by #24194
Labels
type/bug
Milestone
1.19.2

Comments

@ianw
Copy link
Contributor

ianw commented Apr 17, 2023

Description

We have CI for https://opendev.org where we are testing our upgrade of 1.18.5 to 1.19.1 [1].

We found that one of our CI tasks that gets the orgs from api/v1/orgs started failing returning a 401.

I believe this is related to de484e8

It's not too hard to replicate this; as opendev.org is still on 1.18

$ curl https://opendev.org/api/v1/orgs
$ curl https://try.gitea.io/api/v1/orgs

The first returns json, the second not :) I'm not sure if this is intentional; it does seem like the public org listing probably doens't need to be an authenticated call?

[1] https://review.opendev.org/c/opendev/system-config/+/877541

Gitea Version

1.19.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Our gitea is built from upstream into a container

Database

None
@ianw ianw added the type/bug label Apr 17, 2023
@lunny lunny added this to the 1.19.2 milestone Apr 17, 2023
@ianw ianw mentioned this issue Apr 17, 2023
Open
@wxiaoguang
Copy link
Contributor

Related to #20908

// old
		m.Get("/orgs", org.GetAll)
// new
		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

And it seems that not only this one, many other end-points also have similar changes.

@harryzcy do you have ideas about how to make them more correct?

@harryzcy
Copy link
Contributor

@wxiaoguang If it should be public, then reqToken call should be removed. If it should require a token but doesn't require any specific scope, reqToken("") should be used.

@harryzcy harryzcy mentioned this issue Apr 18, 2023
Merged
2 tasks
techknowlogick pushed a commit that referenced this issue Apr 21, 2023
@harryzcy
Fix access token issue on some public endpoints (#24194)
cb19772 
- [x] Identify endpoints that should be public
- [x] Update integration tests

Fix #24159
@GiteaBot GiteaBot mentioned this issue Apr 21, 2023
Merged
2 tasks
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Apr 21, 2023
@harryzcy @GiteaBot
Fix access token issue on some public endpoints (go-gitea#24194)
25ff0d0 
- [x] Identify endpoints that should be public
- [x] Update integration tests

Fix go-gitea#24159
silverwind pushed a commit that referenced this issue Apr 21, 2023
@GiteaBot @harryzcy
Fix access token issue on some public endpoints (#24194) (#24259)
b00f7c3 
Backport #24194 by @harryzcy

- [x] Identify endpoints that should be public
- [x] Update integration tests

Fix #24159

Co-authored-by: harryzcy <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.19.2
Development

Successfully merging a pull request may close this issue.

Fix access token issue on some public endpoints harryzcy/gitea
4 participants
@lunny @ianw @wxiaoguang @harryzcy