mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-19 03:00:47 +02:00
a76099ca94
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| activitypub | ||
| admin | ||
| misc | ||
| notify | ||
| org | ||
| packages | ||
| repo | ||
| settings | ||
| shared | ||
| swagger | ||
| user | ||
| utils | ||
| api.go | ||