-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QA from CI engine notification through API need write access #21356
Comments
The behavior was changed by :
Reported by: |
Indeed, thanks for pointing me to the right change request, nevertheless, if i may, I would challenge the fact that write permission is required. |
From my point of view:
I didn't look into details for this problem. These issues and PRs are by @leytilera @Gusted @KN4CK3R @zeripath @6543 , how do you think. |
The previous mechanism allowed anyone to send commit statuses without any permissions check. I'm sure you can imagine the sort of problems that could cause. Just create a token for the owner of the repo and pass it either as a header or as query param. If we can get round to sorting out role permissions - I'd like to do this but don't have time at present - then we could make a nicer mechanism. |
Indeed you got the point and I forgot to mention that our organizations are private by default and this is not the expected standard behavior. What do you think about : |
I think the current approach is a good solution. Better would be to have a seperate permission for the commit statuses, but I don't know how big the changes are, that would be required to implement this. |
I don't think we should not relax permissions, it will be a weird exemption that people wouldn't expect if they didn't read the source code or this issue. It was already a big oversight that anyone without any permission were able to write commit statuses. As @leytilera mentioned a new permission for this action should be fine (and do-able). |
Ok Fully understand your point, the best solution is to have dedicated permission for such operation and fix the root cause. |
According to the discussions above, I think this issue could be closed. |
Description
Since gitea 1.16.9, it looks like the notification API for CI engines need write access to repositories code.
In my case, to secure our repositories, I would like the CI engine not having write access to repositories.
This configuration make the QA notification failing with invalid access.
In my configuration, I use the jenkins gitea plugin V1.4.3 with jenkins 2.356.
I wonder whether it is mandatory to make this API entry with write access mode ?
Sorry for not having anymore logs at the moment (I created dedicated groups for CI servers with write access since), I will try to reproduce the issue but I guess you know what I'm saying as it looks an expected feature.
Gitea Version
1.17.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
RHEL 8.6
How are you running Gitea?
from the binary provided on github official release
Database
MySQL
The text was updated successfully, but these errors were encountered: