-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some endpoints ignore specified account and use auth account instead #26234
Comments
I think the current api is ambiguous, it doesn't make sense for one user to manipulate another user's token (unless that user is an admin)
|
Agreed: it's ambiguous. Agreed: an admin user should be able to do it. (Like in my example, but it must operate on the target account rather than the admin account.) But...If you change the API then it's a breaking change, and in theory, you should change from Maybe there is a simpler solution? Maybe
|
We give a permission error if the |
That is a good idea. But what about the admin user? He should be able to operate on another user's account. |
The admin user should use |
I agree with your conclusion. (Just keep in mind it's a breaking change, both for those who were using the API correctly and for those who weren't.) |
People who want to use this endpoints to enable |
After the change, yes. The point is it will break existing integrations. It should be labelled as "breaking change" so people know not to upgrade until they fix their api code. |
The changes I've made are guaranteed compatibility #26323 |
The creation of tokens via API is purposefully limited to non-app tokens because otherwise if an app token is leaked then it could be used to have a chain attack and have new tokens created to maintain access from a malicious user. |
Yes, I noticed that token manipulation can only be done using |
What's happening with this? I'm experiencing the problem explained in this bug. There was a PR to fix this apparently (#26323), but it was abandoned, why? |
No one Reviewed it for a long time, so I closed it. I'm turning it back on now. |
kk, well in summary. I too depend on being able to use the admin account to take on the personality of another user for a specific operation (create a fork). Since it remained in review for a long time, maybe it will continue to do so. Do you have an expectation about how long? If long. Is there a workaround? Downgrading to a version prior to this problem is fine. |
I think I opened a can of worms when I opened that issue, and the new code and discussions were so complicated that I couldn't understand / follow any longer. I'll install the next version when it's released and just hope my setup doesn't break. |
Well, I'm confused now. From the title of the merged PR, it appears that a fix is to remove the ability to specify the user in the path because it gets ignored; so the fix is to make the path consistent with that notion. My objective is to use the admin account to obtain a token to become a user for purposes of forking a repo. Embedded in the discussion, there's some sort of |
@waTeim @lonix1
|
Got it, so in scenario 2, what is the mechanism for the admin (doer) to set the contextUser to some arbitrary other user? |
I'm sorry, I don't quite understand your question. |
The discussion clarifies whether it is necessary to split this endpoint into two parts: normal user operations and administrator operations. |
In other words, what forces ContetUser != Doer, what sort of difference in the REST endpoint call is needed? That kinda came up in one of the linked issues above. |
Doer represents the user who provided the account and password, which is the user in basicAuth. |
Ok so if this change is to remove user from the path, will ContextUser ever be different from Doer? |
But the |
oh, my bad, I misinterpreted the discussion, then. I thought you had opted to remove it. |
So now the behavior of this endpoint is what you expected? |
I think so? I'll modify my code, remove the workaround, re-test, and report back. Is there already a container image that has the change, or do I need to compile, etc, I've just been using 1.20.4 (feel free to point me to docs). |
Thanks for the explanation.
If I understand correctly, that will resolve the original issue: the |
Description
Reproduction:
/api/v1/users/bob/tokens
endpoint, using basic auth with myadmin
account.bob
, but it was actually created foradmin
.This was very surprising and took a while to debug. Is it a bug or by design?
If it's a bug (I think it is), then this issue will track it.
If it's by design:
bob
account, not theadmin
account.Thanks!
Gitea Version
1.20.2
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
n/a
Screenshots
n/a
Git Version
n/a
Operating System
n/a
How are you running Gitea?
docker
Database
None
The text was updated successfully, but these errors were encountered: