mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-18 23:00:43 +02:00
a76099ca94
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| actions | ||
| forgejo/v1 | ||
| packages | ||
| shared | ||
| v1 | ||