mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-18 15:20:38 +02:00
a76099ca94
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| api | ||
| common | ||
| install | ||
| private | ||
| utils | ||
| web | ||
| init.go | ||