Skip to content

Add a config option to block "expensive" pages for anonymous users #34024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 30, 2025
Merged

Add a config option to block "expensive" pages for anonymous users #34024

merged 8 commits into from
Mar 30, 2025

Conversation

wxiaoguang
Copy link
Contributor

@wxiaoguang wxiaoguang commented Mar 26, 2025
edited
Loading

Fix #33966

Document: https://gitea.com/gitea/docs/pulls/191

;; User must sign in to view anything.
;; It could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources,
;; for example: block anonymous AI crawlers from accessing repo code pages.
;; The "expensive" mode is experimental and subject to change.
;REQUIRE_SIGNIN_VIEW = false

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 26, 2025
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code docs-update-needed The document needs to be updated synchronously labels Mar 26, 2025
@wxiaoguang wxiaoguang mentioned this pull request Mar 26, 2025
Closed
@wxiaoguang
Copy link
Contributor Author

At the moment, these paths are considered as "expensive":

	expensivePaths := []string{
		// code related
		"/{username}/{reponame}/archive/",
		"/{username}/{reponame}/blame/",
		"/{username}/{reponame}/commit/",
		"/{username}/{reponame}/commits/",
		"/{username}/{reponame}/media/",
		"/{username}/{reponame}/raw/",
		"/{username}/{reponame}/src/",

		// issue & PR related (no trailing slash)
		"/{username}/{reponame}/issues",
		"/{username}/{reponame}/{type:issues}",
		"/{username}/{reponame}/pulls",
		"/{username}/{reponame}/{type:pulls}",

		// wiki
		"/{username}/{reponame}/wiki/",
	}

@wxiaoguang wxiaoguang force-pushed the fix-access-expensive branch from 0092b3f to 3ae9466 Compare March 26, 2025 10:23
@github-actions github-actions bot added the modifies/templates This PR modifies the template files label Mar 26, 2025
@wxiaoguang wxiaoguang added this to the 1.24.0 milestone Mar 26, 2025
@wxiaoguang wxiaoguang added the type/enhancement An improvement of existing functionality label Mar 26, 2025
@lunny lunny mentioned this pull request Mar 26, 2025
Open
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 26, 2025
@hiifong
Copy link
Member

hiifong commented Mar 29, 2025
edited
Loading

At the moment, these paths are considered as "expensive":

	expensivePaths := []string{
		// code related
		"/{username}/{reponame}/archive/",
		"/{username}/{reponame}/blame/",
		"/{username}/{reponame}/commit/",
		"/{username}/{reponame}/commits/",
		"/{username}/{reponame}/media/",
		"/{username}/{reponame}/raw/",
		"/{username}/{reponame}/src/",

		// issue & PR related (no trailing slash)
		"/{username}/{reponame}/issues",
		"/{username}/{reponame}/{type:issues}",
		"/{username}/{reponame}/pulls",
		"/{username}/{reponame}/{type:pulls}",

		// wiki
		"/{username}/{reponame}/wiki/",
	}

I think graph path should also belong to expensivePaths.
image

It would be better if these paths under activity can be added.
image

@wxiaoguang
Copy link
Contributor Author

I think graph path should also belong to expensivePaths.
It would be better if these paths under activity can be added.

done in 4500686

@GiteaBot GiteaBot removed the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Mar 30, 2025
@wxiaoguang wxiaoguang force-pushed the fix-access-expensive branch from 67b81ca to eeae063 Compare March 30, 2025 04:21
@GiteaBot GiteaBot added the lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. label Mar 30, 2025
@wxiaoguang wxiaoguang enabled auto-merge (squash) March 30, 2025 05:07
@wxiaoguang wxiaoguang changed the title Add a config option to block "expensive" pages Add a config option to block "expensive" pages for anonymous users Mar 30, 2025
@wxiaoguang wxiaoguang disabled auto-merge March 30, 2025 05:12
@wxiaoguang wxiaoguang enabled auto-merge (squash) March 30, 2025 05:13
@wxiaoguang wxiaoguang merged commit b59705f into go-gitea:main Mar 30, 2025
26 checks passed
@wxiaoguang wxiaoguang deleted the fix-access-expensive branch March 30, 2025 05:30
wxiaoguang added a commit to wxiaoguang/gitea that referenced this pull request Mar 30, 2025
@wxiaoguang
Add a config option to block "expensive" pages for anonymous users (g…
46892c0 
…o-gitea#34024)

Fix go-gitea#33966

```
;; User must sign in to view anything.
;; It could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources,
;; for example: block anonymous AI crawlers from accessing repo code pages.
;; The "expensive" mode is experimental and subject to change.
;REQUIRE_SIGNIN_VIEW = false
```
# Conflicts:
#	routers/api/v1/api.go
#	tests/integration/api_org_test.go
@wxiaoguang wxiaoguang mentioned this pull request Mar 30, 2025
Merged
@wxiaoguang wxiaoguang added backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.23 This PR should be backported to Gitea 1.23 labels Mar 30, 2025
@wxiaoguang
Copy link
Contributor Author

wxiaoguang commented Mar 30, 2025
edited
Loading

Since there are too many AI crawlers, try to backport it. The new code is covered by tests and it does nothing if users don't set it.

wxiaoguang added a commit that referenced this pull request Mar 30, 2025
@wxiaoguang
Add a config option to block "expensive" pages for anonymous users (#…
15e93a7 
…34024) (#34071)

Backport #34024 since there are too many AI crawlers. The new code is
covered by tests and it does nothing if users don't set it.
zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 31, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
80107e8 
* giteaofficial/main:
  [skip ci] Updated translations via Crowdin
  Add toggleClass function in dom.ts (go-gitea#34063)
  Add a config option to block "expensive" pages for anonymous users (go-gitea#34024)
  add additional ReplaceAll in pathsep to cater for different pathsep (go-gitea#34061)
  [skip ci] Updated translations via Crowdin
  enable staticcheck QFxxxx rules (go-gitea#34064)
  update to golangci-lint v2 (go-gitea#34054)
  Add descriptions for private repo public access settings and improve the UI (go-gitea#34057)
  Add anonymous access support for private/unlisted repositories (go-gitea#34051)
  Hide activity contributors, recent commits and code frequrency left tabs if there is no code permission (go-gitea#34053)
  Update action status badge layout (go-gitea#34018)
  Add anonymous access support for private repositories (backend) (go-gitea#33257)
  Simplify emoji rendering (go-gitea#34048)
  Adjust the layout of the toolbar on the Issues/Projects page (go-gitea#33667)
  Fix bug on downloading job logs (go-gitea#34041)
  Fix git client accessing renamed repo  (go-gitea#34034)
  Decouple Batch from git.Repository to simplify usage without requiring the creation of a Repository struct. (go-gitea#34001)
  fix org repo creation being limited by user limits (go-gitea#34030)
  Fix the issue with error message logging for the `check-attr` command on Windows OS. (go-gitea#34035)
  Try to fix check-attr bug (go-gitea#34029)
@wxiaoguang wxiaoguang mentioned this pull request Apr 3, 2025
Closed
@richmahn
Copy link
Contributor

richmahn commented Apr 5, 2025

Was there any change to the admin config settings page to reflect this? I turned it on the "expensive", but I still get an X. Could we maybe get it to say if the expensive setting took?

image

@wxiaoguang
Copy link
Contributor Author

"admin config settings page" is quite out-dated. A lot of config options are not there or incorrectly displayed there.

To confirm, just try to visit a repo's file anonymously.

If we'd like to make the "admin config settings page" work correctly, it needs to completely refactor the setting system.

This was referenced Apr 8, 2025
Closed
Open
@bohde bohde mentioned this pull request Apr 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

@hiifong hiifong hiifong approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.23 This PR should be backported to Gitea 1.23 docs-update-needed The document needs to be updated synchronously lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.24.0
Development

Successfully merging this pull request may close these issues.

Setting to disable expensive endpoints for anonymous users
5 participants
@wxiaoguang @hiifong @richmahn @lunny @GiteaBot