Skip to content

/api/v1/orgs has become an authenticated endpoint with 0.19 #24159

Closed
@ianw

Description

@ianw
Contributor

Description

We have CI for https://opendev.org where we are testing our upgrade of 1.18.5 to 1.19.1 [1].

We found that one of our CI tasks that gets the orgs from api/v1/orgs started failing returning a 401.

I believe this is related to de484e8

It's not too hard to replicate this; as opendev.org is still on 1.18

$ curl https://opendev.org/api/v1/orgs
$ curl https://try.gitea.io/api/v1/orgs

The first returns json, the second not :) I'm not sure if this is intentional; it does seem like the public org listing probably doens't need to be an authenticated call?

[1] https://review.opendev.org/c/opendev/system-config/+/877541

Gitea Version

1.19.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Our gitea is built from upstream into a container

Database

None

Activity

added this to the 1.19.2 milestone on Apr 17, 2023
wxiaoguang

wxiaoguang commented on Apr 18, 2023

@wxiaoguang
Contributor

Related to #20908

// old
		m.Get("/orgs", org.GetAll)
// new
		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

And it seems that not only this one, many other end-points also have similar changes.

@harryzcy do you have ideas about how to make them more correct?

harryzcy

harryzcy commented on Apr 18, 2023

@harryzcy
Contributor

@wxiaoguang If it should be public, then reqToken call should be removed. If it should require a token but doesn't require any specific scope, reqToken("") should be used.

added a commit that references this issue on Apr 21, 2023
cb19772
added a commit that references this issue on Apr 21, 2023
25ff0d0
added 2 commits that reference this issue on Apr 21, 2023
b00f7c3
locked as resolved and limited conversation to collaborators on Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

      Development

      Participants

      @lunny@ianw@wxiaoguang@harryzcy

      Issue actions

        /api/v1/orgs has become an authenticated endpoint with 0.19 · Issue #24159 · go-gitea/gitea