mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-10-05 19:30:58 +00:00
8d1cf92e12
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9070 Obtaining a [personal access token via the API](https://forgejo.org/docs/latest/user/api-usage/#generating-and-listing-api-tokens) is no longer possible if the password used for basic authentication is an API token or an [OAuth2 token](https://forgejo.org/docs/latest/user/api-usage/#oauth2-provider): it has to be the user password. Such privilege escalation was only possible for tokens with write permissions to the user. This requirement is already enforced when API calls are made with an authorization header [as described in the documentation](https://forgejo.org/docs/latest/user/api-usage/#authentication), but it was not enforced with basic authentication. As a consequence it was possible for an API token with `write:user` permissions or an OAuth2 token to obtain a new token with a wider or identical scope. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/9070): <!--number 9070 --><!--line 0 --><!--description cmVxdWlyZSBwYXNzd29yZCBsb2dpbiBmb3IgY3JlYXRpb24gb2YgbmV3IHRva2Vu-->require password login for creation of new token<!--description--> <!--end release-notes-assistant--> Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9080 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| e2e | ||
| fuzz | ||
| gitea-lfs-meta | ||
| gitea-repositories-meta | ||
| integration | ||
| testdata/data | ||
| mysql.ini.tmpl | ||
| pgsql.ini.tmpl | ||
| sqlite.ini.tmpl | ||
| test_utils.go | ||