Remove "misc" scope check from public API endpoints (#26134)

wxiaoguang · web-flow · commit 915cdf8f8738 · 2023-07-26T02:53:31.000Z
Fix #26035
diff --git a/docs/content/doc/development/oauth2-provider.en-us.md b/docs/content/doc/development/oauth2-provider.en-us.md
@@ -51,36 +51,36 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t
 
 Gitea token scopes are as follows:
 
-| Name | Description                                                                                                                                      |
-| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------|
-| **(no scope)** | Not supported. A scope is required even for public repositories.                                                                                 |
-| **activitypub** | `activitypub` API routes: ActivityPub related operations.                                                                                        |
-| &nbsp;&nbsp;&nbsp; **read:activitypub** | Grants read access for ActivityPub operations.                                                                                                   |
-| &nbsp;&nbsp;&nbsp; **write:activitypub** | Grants read/write/delete access for ActivityPub operations.                                                                                      |
-| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts).                                                      |
-| &nbsp;&nbsp;&nbsp; **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails.                                                    |
-| &nbsp;&nbsp;&nbsp; **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                              |                                                         |
-| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations.                                                                     |
-| &nbsp;&nbsp;&nbsp; **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.                                     |
-| &nbsp;&nbsp;&nbsp; **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.              |
-| **misc** | miscellaneous and settings top-level API routes.                                                                                                 |
-| &nbsp;&nbsp;&nbsp; **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates.                                                   |
-| &nbsp;&nbsp;&nbsp; **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations.                                                         |
-| **notification** | `notification/*` API routes: user notification operations.                                                                                       |
-| &nbsp;&nbsp;&nbsp; **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.                        |
-| &nbsp;&nbsp;&nbsp; **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read.                                                           |
-| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations.                                                                  |
-| &nbsp;&nbsp;&nbsp; **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members.                           |
-| &nbsp;&nbsp;&nbsp; **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.                                  |
-| **package** | `/packages/*` API routes: Packages operations                                                                                                    |
-| &nbsp;&nbsp;&nbsp; **read:package** | Grants read access to package operations, such as reading and downloading available packages.                                                    |
-| &nbsp;&nbsp;&nbsp; **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`.                                                            |
-| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations.                                           |
-| &nbsp;&nbsp;&nbsp; **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators.                                          |
-| &nbsp;&nbsp;&nbsp; **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators.    |
-| **user** | `/user/*` and `/users/*` API routes: User-related operations.                                                                                    |
-| &nbsp;&nbsp;&nbsp; **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings.                                                |
-| &nbsp;&nbsp;&nbsp; **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.                        |
+| Name | Description                                                                                                                                          |
+| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **(no scope)** | Not supported. A scope is required even for public repositories.                                                                                     |
+| **activitypub** | `activitypub` API routes: ActivityPub related operations.                                                                                            |
+| &nbsp;&nbsp;&nbsp; **read:activitypub** | Grants read access for ActivityPub operations.                                                                                                       |
+| &nbsp;&nbsp;&nbsp; **write:activitypub** | Grants read/write/delete access for ActivityPub operations.                                                                                          |
+| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts).                                                          |
+| &nbsp;&nbsp;&nbsp; **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails.                                                        |
+| &nbsp;&nbsp;&nbsp; **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                           |
+| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations.                                                                         |
+| &nbsp;&nbsp;&nbsp; **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.                                         |
+| &nbsp;&nbsp;&nbsp; **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.           |
+| **misc** | Reserved for future usage.                                                                                                                           |
+| &nbsp;&nbsp;&nbsp; **read:misc** | Reserved for future usage.                                                                                                                           |
+| &nbsp;&nbsp;&nbsp; **write:misc** | Reserved for future usage.                                                                                                                           |
+| **notification** | `notification/*` API routes: user notification operations.                                                                                           |
+| &nbsp;&nbsp;&nbsp; **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.                            |
+| &nbsp;&nbsp;&nbsp; **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read.                                                        |
+| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations.                                                                      |
+| &nbsp;&nbsp;&nbsp; **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members.                               |
+| &nbsp;&nbsp;&nbsp; **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.                               |
+| **package** | `/packages/*` API routes: Packages operations                                                                                                        |
+| &nbsp;&nbsp;&nbsp; **read:package** | Grants read access to package operations, such as reading and downloading available packages.                                                        |
+| &nbsp;&nbsp;&nbsp; **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`.                                                         |
+| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations.                                               |
+| &nbsp;&nbsp;&nbsp; **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators.                                              |
+| &nbsp;&nbsp;&nbsp; **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
+| **user** | `/user/*` and `/users/*` API routes: User-related operations.                                                                                        |
+| &nbsp;&nbsp;&nbsp; **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings.                                                    |
+| &nbsp;&nbsp;&nbsp; **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.                     |
 
 ## Client types
 
diff --git a/models/auth/token_scope.go b/models/auth/token_scope.go
@@ -16,7 +16,7 @@ type AccessTokenScopeCategory int
 const (
 	AccessTokenScopeCategoryActivityPub = iota
 	AccessTokenScopeCategoryAdmin
-	AccessTokenScopeCategoryMisc
+	AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
 	AccessTokenScopeCategoryNotification
 	AccessTokenScopeCategoryOrganization
 	AccessTokenScopeCategoryPackage
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -751,7 +751,7 @@ func Routes() *web.Route {
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}
 
-		// Misc (requires 'misc' scope)
+		// Misc (public accessible)
 		m.Group("", func() {
 			m.Get("/version", misc.Version)
 			m.Get("/signing-key.gpg", misc.SigningKey)
@@ -771,7 +771,7 @@ func Routes() *web.Route {
 				m.Get("/attachment", settings.GetGeneralAttachmentSettings)
 				m.Get("/repository", settings.GetGeneralRepoSettings)
 			})
-		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
+		})
 
 		// Notifications (requires 'notifications' scope)
 		m.Group("/notifications", func() {
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
@@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/markdown",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
-		{
-			"/api/v1/markdown/raw",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
 		{
 			"/api/v1/notifications",
 			"GET",
@@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/settings/api",
-			"GET",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Read,
-				},
-			},
-		},
 		{
 			"/api/v1/user",
 			"GET",
