Gitea: API privacy / security - organization endpoints can be accessed without an access token

Hmm, I don't think this is an issue. GitHub allows unauthorized access in their APIs as well. I tried querying my org and it did not show my private repos given your steps.

/members endpoint only shows visible users
/repos endpoint only shows public repos
I don't see an option to set an org private.

It should probably follow setting if public access is allowed or not and based on that require token or allow without it. Needs rechecking if this is really is issue or not

I see my repro on gitea test server is not representative, given the server is public. My gitea server is set to allow access only to registered users (REQUIRE_SIGNIN_VIEW = true). It would be nice if API followed this setting as well.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

According #6731, @OndrejSpanel there is no problem here.

What I do not understand after reading that issue: Do you mean the behaviour I describe is as designed (or at least acceptable), or that the issue was fixed meanwhile?

@OndrejSpanel That means it's as designed. My tests haven't found a privacy / security problem on that. Those APIs will return public content when you have no access token.

My issue about privacy is that I think no content should be considered "public" (accessible without an access token) when you require login even to access the Gitea main pages (i.e. when you use the option REQUIRE_SIGNIN_VIEW = true).

This is how it currently works, and what @lunny test show in #6731

If REQUIRE_SIGNIN_VIEW = true The API calls for the examples above all return

{
    "message": "Only signed in user is allowed to call APIs."
}

As they all should, based on:

https://github.com/go-gitea/gitea/blob/19ec2606e91610421a3e9cd87c94748ef07ca468/modules/context/auth.go#L75-L83

I don't see an example of this not working (the screenshot in the original issue is from public gitea that doesn't not have REQUIRE_SIGNIN_VIEW = true

Is there a specific example that can be seen of this not working?

I was concerned about issues like this but before migrating to Gitea (from GitLab) but I tested with my local install (running 1.8 with REQUIRE_SIGNIN_VIEW set) and cannot reproduce.

Assuming there are no issues in auth.IsAPIPath function I don't see any issues here.

jtl@jtl-macbookpro-linux:~$ curl -X GET "http://10.2.2.32:3000/api/v1/users/search?q=jtl" -H  "accept: application/json" ; echo 
{"message":"Only signed in user is allowed to call APIs."}

Let's close this and please feel free to reopen it.

I confirm the issue does not exist. My previous testing methodology was bad, as I was testing it in a browser session which has already performed the authentication. Testing in a fresh browser returns error as expected.

No harm no foul. Better to be careful about these sorts of things.