mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-19 11:31:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
78d744aa011ad44be77c8bcfd305b5b8b7ada952
gitea/services/context
History
Lunny Xiao f2a1271f16 fix: Unify public-only token filtering in API queries and repo access checks (#37118) 
This PR closes remaining `public-only` token gaps in the API by making
the restriction apply consistently across repository, organization,
activity, notification, and authenticated `/api/v1/user/...` routes.

Previously, `public-only` tokens were still able to:
- receive private results from some list/search/self endpoints,
- access repository data through ID-based lookups,
- and reach several authenticated self routes that should remain
unavailable for public-only access.

This change treats `public-only` as a cross-cutting visibility boundary:
- list/search endpoints now filter private resources consistently,
- repository lookups enforce the same restriction even when addressed
indirectly,
- and self routes that inherently expose or mutate private account state
now reject `public-only` tokens.

---
Generated by a coding agent with Codex 5.2

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-18 11:36:42 -07:00
..
upload
various fixes (#36697)
2026-02-22 08:01:43 +01:00
access_log_test.go
Address some CodeQL security concerns (#35572)
2025-10-04 01:21:26 +08:00
access_log.go
Address some CodeQL security concerns (#35572)
2025-10-04 01:21:26 +08:00
api_org.go
Move context from modules to services (#29440)
2024-02-27 08:12:22 +01:00
api_test.go
Enable testifylint rules (#34075)
2025-03-31 01:53:48 -04:00
api.go
fix: Unify public-only token filtering in API queries and repo access checks (#37118)
2026-05-18 11:36:42 -07:00
base_form.go
Allow multiple projects per issue and pull requests (#36784)
2026-04-30 22:38:05 +08:00
base_path.go
Fix URL related escaping for oauth2 (#37334)
2026-04-21 23:58:32 +08:00
base_test.go
Refactor htmx and fetch-action related code (#37186)
2026-04-13 18:53:55 +00:00
base.go
Refactor htmx and fetch-action related code (#37186)
2026-04-13 18:53:55 +00:00
captcha.go
Fix mCaptcha broken after Vite migration (#37492)
2026-05-02 17:21:56 +02:00
context_cookie.go
Replace CSRF cookie with CrossOriginProtection (#36183)
2025-12-25 12:33:34 +02:00
context_model.go
Refactor context repository (#33202)
2025-01-12 03:39:46 +00:00
context_request.go
Move context from modules to services (#29440)
2024-02-27 08:12:22 +01:00
context_response.go
Fix URL related escaping for oauth2 (#37334)
2026-04-21 23:58:32 +08:00
context_template.go
Fix script error alert (#37458)
2026-04-28 01:08:50 +02:00
context_test.go
Fix AppFullLink (#37325)
2026-04-20 23:57:08 +00:00
context.go
fix: improve actions status icons and texts (#37206)
2026-05-09 15:24:08 +08:00
org.go
Add pagination and search box to org teams list (#37245)
2026-04-17 17:29:11 +02:00
package.go
Move package settings to package instead of being tied to version (#37026)
2026-04-06 03:51:51 +08:00
pagination_test.go
Fix notifications pagination query parameters (#36351)
2026-01-12 22:17:42 +00:00
pagination.go
Fix CodeQL code scanning alerts (#36858)
2026-03-08 14:35:50 +00:00
permission.go
fix(web): enforce token scopes on raw, media, and attachment downloads (#37698)
2026-05-16 14:50:41 +00:00
private.go
Fix SSH LFS timeout (#34838)
2025-06-24 15:49:31 +00:00
repo.go
fix: Allow direct commits for unprotected files with push restrictions (#37657)
2026-05-18 00:49:38 +02:00
response.go
Migrate from webpack to vite (#37002)
2026-03-29 10:24:30 +00:00
user.go
Remove dead code identified by deadcode tool (#37271)
2026-04-20 07:52:48 +00:00
utils.go
Move context from modules to services (#29440)
2024-02-27 08:12:22 +01:00