Write / Read Permissions for specific units are ignored #1140

New Issue

Closed

opened 2025-11-02 03:49:51 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 03:49:51 -06:00

Owner

Copy Link

Originally created by @TheRealPowerCoder on GitHub (Oct 11, 2017).

• Gitea version (or commit ref): 339d7de
• Git version: 2.14.1 (Windows)
• Operating system: Linux Alpine (Gitea Docker)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL): https://try.gitea.io/SuperOrganisation/PermissionsTest
  • No
  • Not relevant
• Log gist:

Description

When using organisations and teams there are permission settings for these teams. Available options are

• Read Permissions (with units that can be selected below)
• Write Permissions (with units that can be selected below)
• Admin Permissions

I created a team called WikiAuthors and only enabled them write access to the wiki. When testing the WikiAuthors could still change files in the code segment, accept pullrequest, etc (see try.gitea above).

When setting WikiAuthors to Read Permission and only for the unit Wiki, they could still see everything else but furtunetly not edit anything (except creating issues and pull requests) (see try.gitea above).

A simmilar problem arises when enableing branch protection. Users of a Team that is not whitelisted can still force push into a protected branch (this was not tested in the try.gitea version).

Am I using the permission system wrong or is it not fully implemented yet?
It seems that Gitea only cares about whether or not at least one write/read permission is set.
This Issue is somewhat related to #2684 as a broader issue concerning the permission system.

Screenshots

Originally created by @TheRealPowerCoder on GitHub (Oct 11, 2017). - Gitea version (or commit ref): 339d7de - Git version: 2.14.1 (Windows) - Operating system: Linux Alpine (Gitea Docker) - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL): https://try.gitea.io/SuperOrganisation/PermissionsTest - [ ] No - [ ] Not relevant - Log gist: ## Description When using organisations and teams there are permission settings for these teams. Available options are - Read Permissions (with units that can be selected below) - Write Permissions (with units that can be selected below) - Admin Permissions I created a team called _WikiAuthors_ and only enabled them write access to the wiki. When testing the _WikiAuthors_ could still change files in the code segment, accept pullrequest, etc (see try.gitea above). When setting _WikiAuthors_ to __Read Permission__ and only for the unit __Wiki__, they could still see everything else but furtunetly not edit anything (except creating issues and pull requests) (see try.gitea above). A simmilar problem arises when enableing branch protection. Users of a Team that is not whitelisted can still force push into a protected branch (this was not tested in the try.gitea version). __Am I using the permission system wrong or is it not fully implemented yet?__ It seems that Gitea only cares about whether or not at least one write/read permission is set. This Issue is somewhat related to #2684 as a broader issue concerning the permission system. ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->

GiteaMirror added the type/enhancement label 2025-11-02 03:49:51 -06:00

GiteaMirror closed this issue 2025-11-02 03:49:51 -06:00

GiteaMirror commented 2025-11-02 03:49:52 -06:00

Author

Owner

Copy Link

@Morlinest commented on GitHub (Oct 11, 2017):

I think everyone can see everything because your org and repo is public. Try to make repository private first.

@Morlinest commented on GitHub (Oct 11, 2017): I think everyone can see everything because your org and repo is public. Try to make repository private first.

GiteaMirror commented 2025-11-02 03:49:52 -06:00

Author

Owner

Copy Link

@TheRealPowerCoder commented on GitHub (Oct 11, 2017):

I have tried your suggestion that setting the repo to private might change things. Yes it does work for read permissions. It makes sense that everybody can see everything if the repo is public.

However write permissions on the other hand are still problematic. Unless the repo is set to private, the unit settings will be ignored and everyone with at least one write permission has repo wide write access. Our repo has to be public but with units affecting write permissions, as I dont want everybody to have access for writing in the Wiki or creating releases.

As it stands now my original issue still exists: Unit Write Permissions dont affect access level unless repo is made private. If the repo is private I am unable to say that WikiAuthors have write access to the wiki and still are able to__read__ otherparts of the repo.

Seperate read and write unit permissions with at least write permissions still being affective in public repos could solve the issue.

@TheRealPowerCoder commented on GitHub (Oct 11, 2017): I have tried your suggestion that setting the repo to private might change things. Yes it does work for read permissions. It makes sense that everybody can see everything if the repo is public. However write permissions on the other hand are still problematic. Unless the repo is set to private, the unit settings will be ignored and everyone with at least one write permission has repo wide write access. Our repo has to be public but with units affecting write permissions, as I dont want everybody to have access for writing in the Wiki or creating releases. As it stands now my original issue still exists: Unit Write Permissions dont affect access level unless repo is made private. If the repo is private I am unable to say that _WikiAuthors_ have write access to the wiki and still are able to__read__ otherparts of the repo. __Seperate read and write unit permissions with at least write permissions still being affective in public repos could solve the issue.__

GiteaMirror commented 2025-11-02 03:49:53 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Oct 15, 2017):

I think the problem is we want some team could

read code and write wiki

or something like this.
Now we only support Read or Write all team's Units.
This should be an enhancement of team settings.

@lunny commented on GitHub (Oct 15, 2017): I think the problem is we want some team could > read code and write wiki or something like this. Now we only support Read or Write all team's Units. This should be an enhancement of team settings.

GiteaMirror commented 2025-11-02 03:49:53 -06:00

Author

Owner

Copy Link

@terrywh commented on GitHub (Nov 28, 2018):

are there any news on this ? is this related to #5308 / #5307 ?

@terrywh commented on GitHub (Nov 28, 2018): are there any news on this ? is this related to #5308 / #5307 ?

GiteaMirror commented 2025-11-02 03:49:53 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Nov 28, 2018):

This should be fixed by #5314

@lunny commented on GitHub (Nov 28, 2018): This should be fixed by #5314

GiteaMirror commented 2025-11-02 03:49:53 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Nov 28, 2018):

Please feel free to reopen.

@lunny commented on GitHub (Nov 28, 2018): Please feel free to reopen.

GiteaMirror referenced this issue 2025-11-02 11:57:08 -06:00

[PR #1407] [MERGED] Mirror sync interval specified as duration string #15895

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#1140