mirror/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-03-01 07:41:30 +01:00
Code Issues Projects Releases Packages Wiki Activity
Beyond coding. We forge. https://forgejo.org
24,537 commits 41 branches 275 tags 221 MiB
  • Go 77.7%
  • go-html-template 10.7%
  • Roff 4.2%
  • JavaScript 2.7%
  • CSS 1.9%
  • Other 2.7%
Find a file
Exact
Mathieu Fenniak 48da8f9888 feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 
Repository-specific personal access tokens will allow a user's access tokens to be restricted to accessing zero-or-more specific repositories.  Currently they can be configured as "All", or "Public only", and this project will add a third configuration option allowing specific repositories.

This PR is part of a series (#11311), and builds on the infrastructure work in #11434.  In this PR, repository-specific access tokens are implemented on the universal permission checks performed by the API middleware, affecting ~182 API endpoints that perform permission checks based upon repositories referenced in their API path (eg. `/v1/api/repos/{owner}/{repo}/...`).

**Breaking change:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path.  As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how repository-specific access tokens, and other permissions checks, are implemented in order to reduce the risk of data probing through error messages.

For larger context on the usage and future incoming work, the description of #11311 can be referenced.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
    - As there is no end-user accessibility to create repo-specific access tokens, this functionality will not be accessible to end-users yet.  But the breaking change in error APIs for public-only access tokens will be visible to end-users.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Breaking features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks.  **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path.  As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11437
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-02-28 19:47:06 +01:00
.devcontainer Update Node.js to v24 (forgejo) (#10091) 2025-11-12 19:41:48 +01:00
.forgejo Revert "Replace Node.js with data.forgejo.org/oci/node 24-trixie (forgejo) (#11384)" (#11406) 2026-02-22 22:31:04 +01:00
.semgrep ci: introduce semgrep to prevent using xorm.Sync() incorrectly in new migrations (#11142) 2026-02-07 21:52:43 +01:00
assets feat: add GetUserRepoPermissionWithReducer 2026-02-27 17:17:29 +01:00
build fix(ui): hardcode sort options in search syntax hint, improve look (#11381) 2026-02-23 06:03:23 +01:00
cmd feat: backend DB model for fine-grained repo access tokens 2026-02-27 17:17:29 +01:00
contrib chore: rename 'forgejo_migrations' to 'forgejo_migrations_legacy' 2025-10-14 14:40:49 -06:00
custom/conf fix(ui)!: remove squash merge committer trailer admin option (#11096) 2026-02-07 12:58:26 +01:00
docker bugfix check for alternate ssh host certificate location (#34146) 2025-04-14 15:53:35 +02:00
models feat: add GetUserRepoPermissionWithReducer 2026-02-27 17:17:29 +01:00
modules feat: backend DB model for fine-grained repo access tokens 2026-02-27 17:17:29 +01:00
options fix(ui): hardcode sort options in search syntax hint, improve look (#11381) 2026-02-23 06:03:23 +01:00
public chore(security): update security.txt with new expiration date (#10447) 2025-12-17 12:32:42 +01:00
release-notes feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 2026-02-28 19:47:06 +01:00
release-notes-published chore(release-notes): Forgejo v14.0.2 [skip ci] (#11092) 2026-01-29 09:22:00 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 2026-02-28 19:47:06 +01:00
services feat: implement repo-specific access tokens in git operations (#11452) 2026-02-28 18:00:23 +01:00
templates fix(ui): update sort dropdown structure for consistency across templates (#11423) 2026-02-24 04:21:59 +01:00
tests feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 2026-02-28 19:47:06 +01:00
tools chore: move backend-checks CI checks to Makefile: make pr-go (#11053) 2026-02-17 02:41:40 +01:00
web_src feat: link CI job to its defining workflow file (#11216) 2026-02-20 03:11:29 +01:00
.air.toml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.deadcode-out feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 2026-02-28 19:47:06 +01:00
.dockerignore fix: Dockerfile should re-use bindata files when possible 2025-06-13 14:00:57 +02:00
.editorconfig i18n(next): convert indention style to tabs: en, editorconfig (#10661) 2026-01-02 05:56:48 +01:00
.envrc.example Make direnv optional to let developers use their own direnv configuration 2024-11-06 20:34:49 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore feat(build): improve lint-locale-usage further (#8736) 2025-08-27 23:47:34 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml chore(lint): enable nilnil (#11235) 2026-02-11 19:08:24 +01:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.node-version Update Node.js to v24.13.1 (forgejo) (#11236) 2026-02-11 16:23:00 +01:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml chore(release-notes): teach release-notes-assistant that v11.0 is LTS (#10638) 2025-12-30 10:00:22 +01:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile feat: Makefile & BSDmakefile changes (#7455) 2025-04-27 10:04:32 +00:00
CODEOWNERS chore: add @0xllx0 to federation codeowners (#10716) 2026-01-09 23:53:06 +01:00
CONTRIBUTING.md docs: replace Developer Guide link with the new Contributor Guide one. 2024-08-26 13:22:39 +03:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update data.forgejo.org/oci/alpine Docker tag to v3.23 (forgejo) (#10326) 2025-12-18 15:21:39 +01:00
Dockerfile.rootless Update data.forgejo.org/oci/alpine Docker tag to v3.23 (forgejo) (#10326) 2025-12-18 15:21:39 +01:00
eslint.config.mjs feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
flake.lock chore: bump nixpkgs in flake.lock (#10128) 2025-11-16 01:18:26 +01:00
flake.nix refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
go.mod feat: add GetUserRepoPermissionWithReducer 2026-02-27 17:17:29 +01:00
go.sum Update module code.forgejo.org/forgejo/runner/v12 to v12.7.0 (forgejo) (#11363) 2026-02-19 04:23:56 +01:00
LICENSE Forgejo v9.0 is GPLv3+ 2024-08-22 09:09:29 +02:00
main.go fix: do not mix urfave v2 with urfave v3 (#8168) 2025-06-12 15:38:03 +02:00
Makefile Update renovate Docker tag to v43.31.1 (forgejo) (#11409) 2026-02-23 06:54:58 +01:00
manifest.scm Add a GNU Guix manifest (#8038) 2025-06-03 08:08:17 +02:00
package-lock.json Update dependency minimatch to v10.2.3 [SECURITY] (forgejo) (#11441) 2026-02-28 02:11:18 +01:00
package.json Update dependency minimatch to v10.2.3 [SECURITY] (forgejo) (#11441) 2026-02-28 02:11:18 +01:00
playwright.config.ts chore: remove webkit and mobile safari from playwright (#10103) 2025-11-13 17:23:08 +01:00
README.md chore: fix a few typos in the documentation (#9134) 2025-09-04 01:53:40 +02:00
release-notes-assistant.sh chore: improve the wording of the "not worth a release note" category (#8542) 2025-07-18 07:19:15 +02:00
RELEASE-NOTES.md chore(release-notes): fix release notes of chroma update in v8.0.0 2025-10-05 17:10:38 +05:00
shell.nix chore: use interactive sqlite via nix (#10439) 2025-12-17 13:20:33 +01:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00
tsconfig.json feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
vitest.config.ts feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
webpack.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00

README.md

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of built-in functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

License

Forgejo is distributed under the terms of the GPL version 3.0 or any later version.

The agreement for this license was documented in June 2023 and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.