bjoernager/forgejo
bjoernager/forgejo
1
Fork 0
Code Activity

feat: allow access to /api/v1/packages/{username} without token (#7716)

Browse source 
- Only require tokens on package endpoints that modify packages, this being deletion of a package and (un)link of a package.
- Allows reading data via the API of otherwise public data
- Integration test added.

Some references to related past commits:
- de484e86bc Started requiring tokens for reading packages "mimicking the design of GitHub OAuth scopes".
- 18de83b2a3 Adjusted the scope further, but kept the GitHub design.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7716
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Squel <squeljur+git@gmail.com>
Co-committed-by: Squel <squeljur+git@gmail.com>
This commit is contained in:
Squel 2025-04-29 14:37:19 +00:00 committed by Gusted
parent f6599099ee
commit 8c81dca8b9
2 changed files with 17 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

8
routers/api/v1/api.go
View file

@ -1495,16 +1495,16 @@ func Routes() *web.Route {
m.Group("/{type}/{name}", func() {
m.Group("/{version}", func() {
m.Get("", packages.GetPackage)
m.Delete("", reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)
m.Delete("", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)
m.Get("/files", packages.ListPackageFiles)
})
m.Post("/-/link/{repo_name}", reqPackageAccess(perm.AccessModeWrite), packages.LinkPackage)
m.Post("/-/unlink", reqPackageAccess(perm.AccessModeWrite), packages.UnlinkPackage)
m.Post("/-/link/{repo_name}", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.LinkPackage)
m.Post("/-/unlink", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.UnlinkPackage)
})
m.Get("/", packages.ListPackages)
}, reqToken(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryPackage), context.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead), checkTokenPublicOnly())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryPackage), context.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead), checkTokenPublicOnly())
// Organizations
m.Get("/user/orgs", reqToken(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), org.ListMyOrgs)