Skip to content

Make restricted users can access public repositories #35693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 21, 2025
Merged

Make restricted users can access public repositories #35693

merged 6 commits into from
Oct 21, 2025

Conversation

wxiaoguang
Copy link
Contributor

@wxiaoguang wxiaoguang commented Oct 18, 2025
edited
Loading

Fix #35690

Change the "restricted user" behavior introduced by #6274. Now restricted user can also access public repositories when sign-in is not required.

For required sign-in, the behavior isn't changed.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 18, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Oct 18, 2025
@wxiaoguang wxiaoguang mentioned this pull request Oct 18, 2025
Closed
@wxiaoguang wxiaoguang added this to the 1.26.0 milestone Oct 18, 2025
@wxiaoguang wxiaoguang added the type/enhancement An improvement of existing functionality label Oct 18, 2025
lafriks
lafriks requested changes Oct 18, 2025
View reviewed changes
Copy link
Member

@lafriks lafriks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking

@lunny
Copy link
Member

lunny commented Oct 18, 2025

Blocking

Could you post the reason? It sounds reasonable for restricted users to visit public repositories.

@wxiaoguang wxiaoguang marked this pull request as draft October 18, 2025 05:38
@wxiaoguang
Copy link
Contributor Author

Blocking

I know it is a designed behavior, but it is counterintuitive.

If there is a strong reason, please help to add more comments and add some UI help messages.

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 18, 2025
@wxiaoguang wxiaoguang force-pushed the fix-restricted-user-org branch from 46cd47d to 9b173c0 Compare October 18, 2025 07:12
@wxiaoguang wxiaoguang marked this pull request as ready for review October 18, 2025 07:23
@wxiaoguang wxiaoguang requested a review from lafriks October 19, 2025 09:33
@ChristopherHX
Copy link
Contributor

I thought the same about allowing Gitea Actions ${{ gitea.token }} token in #35688 to pull any public repo if tokenless download is possible.

After I noticed this topic, I reverted public repo access for now and simply do refactoring + adding some tests.

Maybe if the Gitea Actions User is a restricted user then a simple fallback to default user access validation instead of special handling can be used after this change is included in the branch.

@wxiaoguang
Copy link
Contributor Author

"require sign-in" is really an important feature but it is also really easy to forget ....

@ChristopherHX ChristopherHX mentioned this pull request Oct 20, 2025
Merged
@wxiaoguang
Copy link
Contributor Author

ping @lafriks

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged labels Oct 21, 2025
@wxiaoguang
Copy link
Contributor Author

Thank you, added more tests in 5ae0753 , I think the "restricted user behavior" should be clearly covered now.

@wxiaoguang wxiaoguang merged commit 3917d27 into go-gitea:main Oct 21, 2025
26 checks passed
@wxiaoguang wxiaoguang deleted the fix-restricted-user-org branch October 21, 2025 07:30
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Oct 21, 2025
@wxiaoguang @GiteaBot
Make restricted users can access public repositories (go-gitea#35693)
bb07908 
Fix go-gitea#35690

Change the "restricted user" behavior introduced by go-gitea#6274. Now
restricted user can also access public repositories when sign-in is not
required.

For required sign-in, the behavior isn't changed.
@GiteaBot GiteaBot mentioned this pull request Oct 21, 2025
Merged
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Oct 21, 2025
wxiaoguang added a commit that referenced this pull request Oct 21, 2025
@GiteaBot @wxiaoguang
Make restricted users can access public repositories (#35693) (#35719)
16f4f0d 
Backport #35693 by wxiaoguang

Co-authored-by: wxiaoguang <[email protected]>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 23, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
754170d 
* giteaofficial/main:
  Fix external render (go-gitea#35727)
  Refactor Actions Token Access (go-gitea#35688)
  Honor delete branch on merge repo setting when using merge API (go-gitea#35488)
  Don't block site admin's operation if SECRET_KEY is lost (go-gitea#35721)
  [skip ci] Updated translations via Crowdin
  fix attachment file size limit in server backend (go-gitea#35519)
  Make restricted users can access public repositories (go-gitea#35693)
  Fix various trivial problems (go-gitea#35714)
  Refactor legacy code (go-gitea#35708)
  Add quick approve button on PR page (go-gitea#35678)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@lafriks lafriks lafriks approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/enhancement An improvement of existing functionality

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

Restricted Users cannot see Public Repos/Orgs...

5 participants

@wxiaoguang @lunny @ChristopherHX @lafriks @GiteaBot