Open runephilosof-karnovgroup opened 8 months ago
That's intended. I also think it can be better though, so that you can see public projects of other orgs.
As an admin it returns
How can you get admin rights on ci.woodpecker-ci.org? 🤔
In regards #3014, I'm OK with just removing the link from user / org (making it non-clickable).
I still think it should be possible to view public repos by other users.
That's intended. I also think it can be better though, so that you can see public projects of other orgs.
As an admin it returns
How can you get admin rights on ci.woodpecker-ci.org? 🤔
I don't have admin rights on ci.woodpecker-ci.org. But I still know what it would return, because that endpoint does not return any sensitive data (although, I don't really know what the is_user
is about).
Since it does not return sensitive data, it should not be restricted to admins.
Or maybe the frontend should not contact the endpoint since it already has that information (the name of the organization) from other endpoints.
Or maybe the frontend should not contact the endpoint since it already has that information (the name of the organization) from other endpoints.
Yes, but it needs to check whether it's an user or an org.
For the Github organization that I checked, it returned is_user: true
.
That is also why I guessed that it would return is_user: true
for https://ci.woodpecker-ci.org/api/orgs/2. Does it?
is_user
is used here https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/web/src/views/org/OrgWrapper.vue#L9-L10
I am not an organization admin in the organization that I am testing with (only in the Woodpecker instance), so I am not able to see what errors it will give result in that is_user
is true
, even though it is clearly an organization.
Regardless, is_user
is public information, so the easiest fix would be to not restrict the endpoint to admins.
I cannot find where it authorizes the endpoint.
https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/server/router/api.go#L63 does not use session.MustAdmin()
.
And https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/server/api/org.go#L41 does not authorize.
Component
server
Describe the bug
When you are not a Woodpecker admin https://ci.woodpecker-ci.org/orgs/2 gives an error. The UI shows it as
An unknown error occurred
in a flash message with a red background. The network fan shows a call to https://ci.woodpecker-ci.org/api/orgs/2 returning 401 UnauthorizedAs an admin it returns
System Info
Additional context
No response
Validations
next
version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]