Member of team with limited "Read" only access to issues can create new issues #13411

Open
opened 2025-11-02 10:41:32 -06:00 by GiteaMirror · 4 comments
Owner

Originally created by @seccentral on GitHub (Aug 20, 2024).

Description

I created a gitea instance with keycloak authentication for the purpose of centralizing multiple service authentication/authorization under one solution and added the users to groups that are exposed as a custom claim along with their group names in the access token, then created an Org with teams in gitea and mapped the claimed groups to the organization's teams representing full access administrators and read only members.
The read only members should have read only access to the Issues and Wiki as configured on the Team's ACL settings.
The problem is that the read only users can create new issues, hence I suspect that this is a bug.

TL/DR - make an org with a team who's members are ACL restricted to read only, and they can create new issues.

Gitea Version

1.21.8

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

  • not relevant/required -

Screenshots

image

  • screenshot provided for context but it's not really required. the description is self explanatory

Git Version

No response

Operating System

Debian 12

How are you running Gitea?

Custom tailored docker stack including it's postgres database, auth(keycloak) and reverse proxy(caddy), but this detail is not relevant for this bug.

Database

PostgreSQL

Originally created by @seccentral on GitHub (Aug 20, 2024). ### Description I created a gitea instance with keycloak authentication for the purpose of centralizing multiple service authentication/authorization under one solution and added the users to groups that are exposed as a custom claim along with their group names in the access token, then created an Org with teams in gitea and mapped the claimed groups to the organization's teams representing full access administrators and read only members. The read only members should have read only access to the Issues and Wiki as configured on the Team's ACL settings. The problem is that the read only users can create new issues, hence I suspect that this is a bug. TL/DR - make an org with a team who's members are ACL restricted to read only, and they can create new issues. ### Gitea Version 1.21.8 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist - not relevant/required - ### Screenshots ![image](https://github.com/user-attachments/assets/ba2419a1-38f0-4837-8b23-653905800ac3) - screenshot provided for context but it's not really required. the description is self explanatory ### Git Version _No response_ ### Operating System Debian 12 ### How are you running Gitea? Custom tailored docker stack including it's postgres database, auth(keycloak) and reverse proxy(caddy), but this detail is not relevant for this bug. ### Database PostgreSQL
GiteaMirror added the issue/not-a-bug label 2025-11-02 10:41:32 -06:00
Author
Owner

@lunny commented on GitHub (Aug 20, 2024):

It's not a bug, it's by design which will keep consistent with Github's implementations.

@lunny commented on GitHub (Aug 20, 2024): It's not a bug, it's by design which will keep consistent with Github's implementations.
Author
Owner

@seccentral commented on GitHub (Aug 21, 2024):

I didn't know. Is there a way to allow read only access as the ACL page actually suggests is happening ? If not, it should be useful to remove the read only option from the ACL settings page because it's not advertising what it's selling.

Also, thank you for clarifying.

@seccentral commented on GitHub (Aug 21, 2024): I didn't know. Is there a way to allow read only access as the ACL page actually suggests is happening ? If not, it should be useful to remove the read only option from the ACL settings page because it's not advertising what it's selling. Also, thank you for clarifying.
Author
Owner

@shimaowo commented on GitHub (Jan 23, 2025):

I would agree that it is very unfortunate that gitea has no way to create a truly read-only user.

I want to share repositories with people on a read-only basis, but the only way to do that is to entirely block access to even viewing things like Issues, which almost defeats the purpose.

It also seems to make the ACL meaningless and misleading.

@shimaowo commented on GitHub (Jan 23, 2025): I would agree that it is very unfortunate that gitea has no way to create a truly read-only user. I want to share repositories with people on a read-only basis, but the only way to do that is to entirely block access to even viewing things like Issues, which almost defeats the purpose. It also seems to make the ACL meaningless and misleading.
Author
Owner

@lunny commented on GitHub (Jan 27, 2025):

I would agree that it is very unfortunate that gitea has no way to create a truly read-only user.

I want to share repositories with people on a read-only basis, but the only way to do that is to entirely block access to even viewing things like Issues, which almost defeats the purpose.

It also seems to make the ACL meaningless and misleading.

Maybe we can have an option to allow users to create issues with read permission.

@lunny commented on GitHub (Jan 27, 2025): > I would agree that it is very unfortunate that gitea has no way to create a truly read-only user. > > I want to share repositories with people on a read-only basis, but the only way to do that is to entirely block access to even viewing things like Issues, which almost defeats the purpose. > > It also seems to make the ACL meaningless and misleading. Maybe we can have an option to allow users to create issues with read permission.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#13411