This PR adds the support for scopes of access tokens, mimicking the
design of GitHub OAuth scopes.
The changes of the core logic are in `models/auth` that `AccessToken`
struct will have a `Scope` field. The normalized (no duplication of
scope), comma-separated scope string will be stored in `access_token`
table in the database.
In `services/auth`, the scope will be stored in context, which will be
used by `reqToken` middleware in API calls. Only OAuth2 tokens will have
granular token scopes, while others like BasicAuth will default to scope
`all`.
A large amount of work happens in `routers/api/v1/api.go` and the
corresponding `tests/integration` tests, that is adding necessary scopes
to each of the API calls as they fit.
- [x] Add `Scope` field to `AccessToken`
- [x] Add access control to all API endpoints
- [x] Update frontend & backend for when creating tokens
- [x] Add a database migration for `scope` column (enable 'all' access
to past tokens)
I'm aiming to complete it before Gitea 1.19 release.
Fixes#4300
Change all license headers to comply with REUSE specification.
Fix#16132
Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
* Some refactors related repository model
* Move more methods out of repository
* Move repository into models/repo
* Fix test
* Fix test
* some improvements
* Remove unnecessary function
* Feature - #5960 - API Endpoint for Repo Editing
* Revert from merge
* Adds integration testing
* Updates to integration tests
* Revert changes
* Update year in file header
* Misspell fix
* XORM = test
* XORM = test
* revert XORM = file
* Makes RepoUnit.ID be pk and autoincr
* Fix to units
* revert header
* Remove print statement
* Adds other responses
* Improves swagger for creating repo
* Fixes import order
* Better Unit Type does not exist error
* Adds editable repo properties to the response repo structure
* Fix to api_repo_edit_test.go
* Fixes repo test
* Changes per review
* Fixes typo and standardizes comments in the EditRepoOption struct for swagger
* Fixes typo and standardizes comments in the EditRepoOption struct for swagger
* Actually can unarchive through the API
* Unlike delete, user doesn't have to be the owner of the org, just admin to the repo
* Fix to swagger comments for field name change
* Update to swagger docs
* Update swagger
* Changes allow_pull_requests to has_pull_requests
* Add options to git.Clone to make it more capable
* Begin the process of removing the local copy and tidy up
* Remove Wiki LocalCopy Checkouts
* Remove the last LocalRepo helpers
* Remove WithTemporaryFile
* Enable push-hooks for these routes
* Ensure tests cope with hooks
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Remove Repository.LocalCopyPath()
* Move temporary repo to use the standard temporary path
* Fix the tests
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Remove LocalWikiPath
* Fix missing remove
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Use AppURL for Oauth user link (#6894)
* Use AppURL for Oauth user link
Fix#6843
* Update oauth.go
* Update oauth.go
* internal/ssh: ignore env command totally (#6825)
* ssh: ignore env command totally
* Remove commented code
Needed fix described in issue #6889
* Escape the commit message on issues update and title in telegram hook (#6901)
* update sdk to latest (#6903)
* improve description of branch protection (fix#6886) (#6906)
The branch protection description text were not quite accurate.
* Fix logging documentation (#6904)
* ENABLE_MACARON_REDIRECT should be REDIRECT_MACARON_LOG
* Allow DISABLE_ROUTER_LOG to be set in the [log] section
* [skip ci] Updated translations via Crowdin
* Move sdk structs to modules/structs (#6905)
* move sdk structs to moduels/structs
* fix tests
* fix fmt
* fix swagger
* fix vendor
Panagiotis "Ivory" Vasilopoulos
Chongyi Zheng
Lunny Xiao
flynnnnnnnnnn
Kyle D
Gusted
wxiaoguang
zeripath
Richard Mahn
John Olheiser