mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-18 23:10:42 +02:00
a76099ca94
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| source | ||
| additional_scopes_test.go | ||
| auth.go | ||
| auth_test.go | ||
| basic.go | ||
| group.go | ||
| httpsign.go | ||
| interface.go | ||
| main_test.go | ||
| oauth2.go | ||
| oauth2_test.go | ||
| reverseproxy.go | ||
| reverseproxy_test.go | ||
| session.go | ||
| signin.go | ||
| source.go | ||
| sync.go | ||