gitea/models at f2a1271f164569264c378fad720b0c000fff3336 - gitea - Kyren's Code

mirrors/gitea

mirror of https://github.com/go-gitea/gitea.git synced 2026-05-19 03:21:05 +00:00

Files

History

Lunny Xiao f2a1271f16 fix: Unify public-only token filtering in API queries and repo access checks (#37118 )

This PR closes remaining `public-only` token gaps in the API by making
the restriction apply consistently across repository, organization,
activity, notification, and authenticated `/api/v1/user/...` routes.

Previously, `public-only` tokens were still able to:
- receive private results from some list/search/self endpoints,
- access repository data through ID-based lookups,
- and reach several authenticated self routes that should remain
unavailable for public-only access.

This change treats `public-only` as a cross-cutting visibility boundary:
- list/search endpoints now filter private resources consistently,
- repository lookups enforce the same restriction even when addressed
indirectly,
- and self routes that inherently expose or mutate private account state
now reject `public-only` tokens.

---
Generated by a coding agent with Codex 5.2

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>

2026-05-18 11:36:42 -07:00

..

feat: execute post run cleanup when workflow is cancelled (#37275 )

2026-05-17 08:41:39 +02:00

fix: Unify public-only token filtering in API queries and repo access checks (#37118 )

2026-05-18 11:36:42 -07:00

feat(api): encrypt AWS creds (#37679 )

2026-05-14 15:46:20 +03:00

fix: treat email addresses case-insensitively (#37600 )

2026-05-08 15:14:33 +00:00

fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706 )

2026-05-16 15:17:00 +00:00

Remove incorrect "db.DefaultContext" usages (#35366 )

2025-08-28 03:52:43 +00:00

chore(db): introduce db.Session and db.EngineMigration interfaces (#37746 )

2026-05-18 03:56:39 +08:00

Fix dbfs error handling (#36844 )

2026-03-07 00:28:46 +08:00

Improve testing init, clean up webhook tests (#37412 )

2026-04-25 18:55:18 +00:00

chore(db): introduce db.Session and db.EngineMigration interfaces (#37746 )

2026-05-18 03:56:39 +08:00

chore(db): introduce db.Session and db.EngineMigration interfaces (#37746 )

2026-05-18 03:56:39 +08:00

chore(db): introduce db.Session and db.EngineMigration interfaces (#37746 )

2026-05-18 03:56:39 +08:00

fix: Unify public-only token filtering in API queries and repo access checks (#37118 )

2026-05-18 11:36:42 -07:00

chore(db): introduce db.Session and db.EngineMigration interfaces (#37746 )

2026-05-18 03:56:39 +08:00

Fix issue label deletion with Actions tokens (#37013 )

2026-03-29 09:21:14 +00:00

Allow multiple projects per issue and pull requests (#36784 )

2026-04-30 22:38:05 +08:00

Make GetPossibleUserByID can handle deleted user (#37430 )

2026-04-26 16:57:53 +00:00

Rename CurrentRefPath to CurrentRefSubURL (#37453 )

2026-04-28 00:34:17 +00:00

fix: Unify public-only token filtering in API queries and repo access checks (#37118 )

2026-05-18 11:36:42 -07:00

Don't block site admin's operation if SECRET_KEY is lost (#35721 )

2025-10-22 12:35:56 +08:00

Refactor locale&string&template related code (#29165 )

2024-02-14 21:48:45 +00:00

Remove dead code identified by deadcode tool (#37271 )

2026-04-20 07:52:48 +00:00

Run gopls modernize on codebase (#34751 )

2025-06-18 01:48:09 +00:00

chore(deps): bump tool deps and pin, update golangci-lint (#37574 )

2026-05-08 04:49:34 +00:00

fix: Unify public-only token filtering in API queries and repo access checks (#37118 )

2026-05-18 11:36:42 -07:00

Improve testing init, clean up webhook tests (#37412 )

2026-04-25 18:55:18 +00:00

main_test.go

make writing main test easier (#27270 )

2023-09-28 01:38:53 +00:00

repo_test.go

Remove incorrect "db.DefaultContext" usages (#35366 )

2025-08-28 03:52:43 +00:00

repo.go

Replace custom Go formatter with golangci-lint fmt (#37194 )

2026-04-17 17:45:22 +00:00