enforce public-only scope for access token

Author: marcellmars

options/locale/locale_en-US.ini

@@ -893,8 +893,8 @@ access_token_deletion_confirm_action = Delete
 access_token_deletion_desc = Deleting a token will revoke access to your account for applications using it. This cannot be undone. Continue?
 delete_token_success = The token has been deleted. Applications using it no longer have access to your account.
 repo_and_org_access = Repository and Organization Access
-permissions_public_only = Public only
-permissions_access_all = All (public, private, and limited)
+permissions_public_only = Public only (Grant access only to public and exclude private and limited organizations and repositories)
+permissions_access_all = All (Grant access to public, private, and limited organizations and repositories)
 select_permissions = Select permissions
 permission_not_set = Not set
 permission_no_access = No Access

routers/api/v1/api.go

@@ -92,6 +92,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/settings"
 	"code.gitea.io/gitea/routers/api/v1/user"
+	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/auth"
@@ -184,6 +185,10 @@ func repoAssignment() func(ctx *context.APIContext) {
 			}
 			return
 		}
+		if repo.IsPrivate && utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+			ctx.NotFound()
+			return
+		}
 
 		repo.Owner = owner
 		ctx.Repo.Repository = repo
@@ -954,9 +959,9 @@ func Routes() *web.Router {
 					m.Get("/{target}", user.CheckFollowing)
 				})
 
-				m.Get("/starred", user.GetStarredRepos)
+				m.Get("/starred", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), user.GetStarredRepos)
 
-				m.Get("/subscriptions", user.GetWatchedRepos)
+				m.Get("/subscriptions", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), user.GetWatchedRepos)
 			}, context.UserAssignmentAPI())
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())
 
@@ -1477,13 +1482,13 @@ func Routes() *web.Router {
 			m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context.UserAssignmentAPI())
 		m.Post("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), reqToken(), bind(api.CreateOrgOption{}), org.Create)
-		m.Get("/orgs", org.GetAll, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization))
+		m.Get("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), org.GetAll)
 		m.Group("/orgs/{org}", func() {
 			m.Combo("").Get(org.Get).
 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
 				Delete(reqToken(), reqOrgOwnership(), org.Delete)
-			m.Combo("/repos").Get(user.ListOrgRepos).
-				Post(reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
+			m.Combo("/repos").Get(tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), user.ListOrgRepos).
+				Post(reqToken(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
 			m.Group("/members", func() {
 				m.Get("", reqToken(), org.ListMembers)
 				m.Combo("/{username}").Get(reqToken(), org.IsMember).
@@ -1551,7 +1556,7 @@ func Routes() *web.Router {
 					Put(reqToken(), org.AddTeamRepository).
 					Delete(reqToken(), org.RemoveTeamRepository).
 					Get(reqToken(), org.GetTeamRepo)
-			})
+			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))
 			m.Get("/activities/feeds", org.ListTeamActivityFeeds)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(false, true), reqToken(), reqTeamMembership())
 
@@ -1571,23 +1576,25 @@ func Routes() *web.Router {
 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)
 						m.Delete("/{id}", admin.DeleteUserPublicKey)
 					})
-					m.Get("/orgs", org.ListUserOrgs)
-					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)
-					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)
+					m.Get("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), org.ListUserOrgs)
+					m.Get("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), org.ListUserOrgs)
+					m.Post("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), bind(api.CreateOrgOption{}), admin.CreateOrg)
+					m.Post("/repos", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), bind(api.CreateRepoOption{}), admin.CreateRepo)
 					m.Post("/rename", bind(api.RenameUserOption{}), admin.RenameUser)
 					m.Get("/badges", admin.ListUserBadges)
 					m.Post("/badges", bind(api.UserBadgeOption{}), admin.AddUserBadges)
 					m.Delete("/badges", bind(api.UserBadgeOption{}), admin.DeleteUserBadges)
 				}, context.UserAssignmentAPI())
-			})
+			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser))
+
 			m.Group("/emails", func() {
 				m.Get("", admin.GetAllEmails)
 				m.Get("/search", admin.SearchEmail)
 			})
 			m.Group("/unadopted", func() {
 				m.Get("", admin.ListUnadoptedRepositories)
-				m.Post("/{username}/{reponame}", admin.AdoptRepository)
-				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)
+				m.Post("/{username}/{reponame}", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), admin.AdoptRepository)
+				m.Delete("/{username}/{reponame}", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), admin.DeleteUnadoptedRepository)
 			})
 			m.Group("/hooks", func() {
 				m.Combo("").Get(admin.ListHooks).

routers/api/v1/org/org.go

@@ -26,6 +26,9 @@ import (
 func listUserOrgs(ctx *context.APIContext, u *user_model.User) {
 	listOptions := utils.GetListOptions(ctx)
 	showPrivate := ctx.IsSigned && (ctx.Doer.IsAdmin || ctx.Doer.ID == u.ID)
+	if utils.PublicOnlyToken(ctx, "ApiTokenScopePublicOrgOnly") {
+		showPrivate = false
+	}
 
 	opts := organization.FindOrgOptions{
 		ListOptions:    listOptions,
@@ -191,10 +194,12 @@ func GetAll(ctx *context.APIContext) {
 	//     "$ref": "#/responses/OrganizationList"
 
 	vMode := []api.VisibleType{api.VisibleTypePublic}
-	if ctx.IsSigned {
-		vMode = append(vMode, api.VisibleTypeLimited)
-		if ctx.Doer.IsAdmin {
-			vMode = append(vMode, api.VisibleTypePrivate)
+	if !utils.PublicOnlyToken(ctx, "ApiTokenScopePublicOrgOnly") {
+		if ctx.IsSigned {
+			vMode = append(vMode, api.VisibleTypeLimited)
+			if ctx.Doer.IsAdmin {
+				vMode = append(vMode, api.VisibleTypePrivate)
+			}
 		}
 	}
 
@@ -304,6 +309,11 @@ func Get(ctx *context.APIContext) {
 		return
 	}
 
+	if !ctx.Org.Organization.Visibility.IsPublic() && utils.PublicOnlyToken(ctx, "ApiTokenScopePublicOrgOnly") {
+		ctx.NotFound()
+		return
+	}
+
 	org := convert.ToOrganization(ctx, ctx.Org.Organization)
 
 	// Don't show Mail, when User is not logged in

routers/api/v1/repo/repo.go

@@ -197,6 +197,11 @@ func Search(ctx *context.APIContext) {
 		}
 	}
 
+	if utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+		opts.Private = false
+		opts.IsPrivate = optional.Some(false)
+	}
+
 	var err error
 	repos, count, err := repo_model.SearchRepository(ctx, opts)
 	if err != nil {
@@ -589,6 +594,12 @@ func GetByID(ctx *context.APIContext) {
 		ctx.NotFound()
 		return
 	}
+
+	if repo.IsPrivate && utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+		ctx.NotFound()
+		return
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, permission))
 }
 

routers/api/v1/user/repo.go

@@ -80,6 +80,9 @@ func ListUserRepos(ctx *context.APIContext) {
 	//     "$ref": "#/responses/notFound"
 
 	private := ctx.IsSigned
+	if utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+		private = false
+	}
 	listUserRepos(ctx, ctx.ContextUser, private)
 }
 
@@ -111,6 +114,10 @@ func ListMyRepos(ctx *context.APIContext) {
 		IncludeDescription: true,
 	}
 
+	if utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+		opts.Private = false
+	}
+
 	var err error
 	repos, count, err := repo_model.SearchRepository(ctx, opts)
 	if err != nil {
@@ -162,6 +169,9 @@ func ListOrgRepos(ctx *context.APIContext) {
 	//     "$ref": "#/responses/RepositoryList"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
-
-	listUserRepos(ctx, ctx.Org.Organization.AsUser(), ctx.IsSigned)
+	private := ctx.IsSigned
+	if utils.PublicOnlyToken(ctx, "ApiTokenScopePublicRepoOnly") {
+		private = false
+	}
+	listUserRepos(ctx, ctx.Org.Organization.AsUser(), private)
 }

routers/api/v1/utils/token.go

@@ -0,0 +1,12 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package utils
+
+import "code.gitea.io/gitea/services/context"
+
+// check if api token contains `public-only` scope
+func PublicOnlyToken(ctx *context.APIContext, scopeKey string) bool {
+	publicScope, _ := ctx.Data[scopeKey].(bool)
+	return publicScope
+}