Skip to content

Fix public-only token enforcement for user/org APIs and notifications#37118

Open
lunny wants to merge 3 commits intogo-gitea:mainfrom
lunny:lunny/fix_public_only_list_org
Open

Fix public-only token enforcement for user/org APIs and notifications#37118
lunny wants to merge 3 commits intogo-gitea:mainfrom
lunny:lunny/fix_public_only_list_org

Conversation

@lunny
Copy link
Copy Markdown
Member

@lunny lunny commented Apr 6, 2026
edited
Loading

  • Ensure public-only scoped tokens never return private orgs, repos, activity feeds, or repo-by-id details by enforcing visibility in handlers and routes.
  • Add a notifications middleware to block public-only tokens at the router level.
  • Add integration tests covering public-only behavior for user/org repos, repo-by-id access, activity feeds, stars, and notifications.

Generated by a coding agent with Codex 5.2

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 6, 2026
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Apr 6, 2026
@lunny lunny marked this pull request as ready for review April 6, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lunny @GiteaBot