Sources api endpoint access forbidden in public mode

fossar / selfoss

multipurpose rss reader, live stream, mashup, aggregation web application

https://selfoss.aditu.de

GNU General Public License v3.0

2.35k stars 343 forks source link

Sources api endpoint access forbidden in public mode #1403

Closed davidoskky closed 1 year ago

davidoskky commented 1 year ago

In public mode it's possible to read articles from the web application without logging in, the list of tags and sources is available. The api however does not provide the list of sources and returns "Access forbidden!" when making a GET request to /sources/list It's possible to get the list of sources from /sources/stats

Is this the expected behavior and can we expect this to keep working in the future?

jtojnar commented 1 year ago

The GET /sources/list and GET /sources endpoints contain private information like the parameters of sources (including e.g. secret tokens for Twitter API).

On the other hand, GET /sources/stats contains only the bare minimum needed to display the list of sources in the sidebar so it should be fine to expose in the public mode.

As long as we want to allow viewing specific sources in the public mode, I do not foresee any change in the level of access.

jtojnar commented 1 year ago

Turns out the security level was not correctly declared in the API docs. I have rectified that.