/api/v1/orgs has become an authenticated endpoint with 0.19 #10668

New Issue

GiteaMirror · 2025-11-02T09:14:54-06:00

GiteaMirror commented

2025-11-02 09:14:54 -06:00

Originally created by @ianw on GitHub (Apr 17, 2023).

Description

We have CI for https://opendev.org where we are testing our upgrade of 1.18.5 to 1.19.1 [1].

We found that one of our CI tasks that gets the orgs from api/v1/orgs started failing returning a 401.

I believe this is related to de484e86bc

It's not too hard to replicate this; as opendev.org is still on 1.18

$ curl https://opendev.org/api/v1/orgs
$ curl https://try.gitea.io/api/v1/orgs

The first returns json, the second not :) I'm not sure if this is intentional; it does seem like the public org listing probably doens't need to be an authenticated call?

[1] https://review.opendev.org/c/opendev/system-config/+/877541

Gitea Version

1.19.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Our gitea is built from upstream into a container

Database

None

Originally created by @ianw on GitHub (Apr 17, 2023). ### Description We have CI for https://opendev.org where we are testing our upgrade of 1.18.5 to 1.19.1 [1]. We found that one of our CI tasks that gets the orgs from ```api/v1/orgs``` started failing returning a ```401```. I believe this is related to https://github.com/go-gitea/gitea/commit/de484e86bc495a67d2f122ed438178d587a92526 It's not too hard to replicate this; as opendev.org is still on 1.18 ``` $ curl https://opendev.org/api/v1/orgs $ curl https://try.gitea.io/api/v1/orgs ``` The first returns json, the second not :) I'm not sure if this is intentional; it does seem like the public org listing probably doens't need to be an authenticated call? [1] https://review.opendev.org/c/opendev/system-config/+/877541 ### Gitea Version 1.19.1 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Our gitea is built from upstream into a container ### Database None

GiteaMirror added the type/bug label 2025-11-02 09:14:54 -06:00

GiteaMirror closed this issue

2025-11-02 09:14:54 -06:00

GiteaMirror commented

2025-11-02 09:14:55 -06:00

@wxiaoguang commented on GitHub (Apr 18, 2023):

Related to #20908

// old
		m.Get("/orgs", org.GetAll)
// new
		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

And it seems that not only this one, many other end-points also have similar changes.

@harryzcy do you have ideas about how to make them more correct?

@wxiaoguang commented on GitHub (Apr 18, 2023): Related to #20908 ```go // old m.Get("/orgs", org.GetAll) // new m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll) ``` And it seems that not only this one, many other end-points also have similar changes. @harryzcy do you have ideas about how to make them more correct?

GiteaMirror commented

2025-11-02 09:14:55 -06:00

@harryzcy commented on GitHub (Apr 18, 2023):

@wxiaoguang If it should be public, then reqToken call should be removed. If it should require a token but doesn't require any specific scope, reqToken("") should be used.

@harryzcy commented on GitHub (Apr 18, 2023): @wxiaoguang If it should be public, then `reqToken` call should be removed. If it should require a token but doesn't require any specific scope, `reqToken("")` should be used.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#10668