Allow to view (public) repos from other orgs (if not an admin)/users

[runephilosof-karnovgroup]

Component

server

Describe the bug

When you are not a Woodpecker admin https://ci.woodpecker-ci.org/orgs/2 gives an error. The UI shows it as An unknown error occurred in a flash message with a red background. The network fan shows a call to https://ci.woodpecker-ci.org/api/orgs/2 returning 401 Unauthorized

As an admin it returns

{"id":2,"name":"woodpecker","is_user":true}

System Info

{"source":"https://github.com/woodpecker-ci/woodpecker","version":"next-a28e2e1920"}

Additional context

No response

Validations

• [X] Read the Contributing Guidelines.
• [X] Read the docs.
• [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• [X] Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• [X] Check that this is a concrete bug. For Q&A join our Discord Chat Server or the Matrix room.

[qwerty287]

That's intended. I also think it can be better though, so that you can see public projects of other orgs.

As an admin it returns

How can you get admin rights on ci.woodpecker-ci.org? 🤔

[zc-devs]

In regards #3014, I'm OK with just removing the link from user / org (making it non-clickable).

[qwerty287]

I still think it should be possible to view public repos by other users.

[runephilosof-karnovgroup]

That's intended. I also think it can be better though, so that you can see public projects of other orgs.

As an admin it returns

How can you get admin rights on ci.woodpecker-ci.org? 🤔

I don't have admin rights on ci.woodpecker-ci.org. But I still know what it would return, because that endpoint does not return any sensitive data (although, I don't really know what the is_user is about). Since it does not return sensitive data, it should not be restricted to admins. Or maybe the frontend should not contact the endpoint since it already has that information (the name of the organization) from other endpoints.

[qwerty287]

Or maybe the frontend should not contact the endpoint since it already has that information (the name of the organization) from other endpoints.

Yes, but it needs to check whether it's an user or an org.

[runephilosof-karnovgroup]

For the Github organization that I checked, it returned is_user: true. That is also why I guessed that it would return is_user: true for https://ci.woodpecker-ci.org/api/orgs/2. Does it?

is_user is used here https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/web/src/views/org/OrgWrapper.vue#L9-L10 I am not an organization admin in the organization that I am testing with (only in the Woodpecker instance), so I am not able to see what errors it will give result in that is_user is true, even though it is clearly an organization.

Regardless, is_user is public information, so the easiest fix would be to not restrict the endpoint to admins.

[runephilosof-karnovgroup]

I cannot find where it authorizes the endpoint.

https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/server/router/api.go#L63 does not use session.MustAdmin(). And https://github.com/woodpecker-ci/woodpecker/blob/c4ca88e945e5ae50500350c2fc1fd940dc8e80b8/server/api/org.go#L41 does not authorize.