API privacy / security - organization endpoints can be accessed without an access token

[OndrejSpanel]

• Gitea version (or commit ref): 1.6.2
• Git version: 1.9.1
• Operating system: Debian 7
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Several API endpoints can be accessed without any authorization at all. I have found following GET requests which responded to me this way:

/orgs/{org}/repos
/orgs/{org}/members
/orgs/{org}

Some other endpoints I have tested require authorization (e.g. /orgs/{org}/hooks). I think the only gitea API endpoint which should be accessible without any authorization is version - any listing of repositories, users or organization should require it.

Screenshots

[markediez]

Hmm, I don't think this is an issue. GitHub allows unauthorized access in their APIs as well. I tried querying my org and it did not show my private repos given your steps.

[markediez]

/members endpoint only shows visible users
/repos endpoint only shows public repos
I don't see an option to set an org private.

[lafriks]

It should probably follow setting if public access is allowed or not and based on that require token or allow without it. Needs rechecking if this is really is issue or not

[OndrejSpanel]

I see my repro on gitea test server is not representative, given the server is public. My gitea server is set to allow access only to registered users (REQUIRE_SIGNIN_VIEW = true). It would be nice if API followed this setting as well.