feat: implement repo-specific access tokens in git operations (#11452)

Repository-specific personal access tokens will allow a user's access tokens to be restricted to accessing zero-or-more specific repositories. Currently they can be configured as "All", or "Public only", and this project will add a third configuration option allowing specific repositories. This PR is part of a series (#11311), and builds on the infrastructure work in #11434. In this PR, repository-specific access tokens are implemented in `CheckRepoScopedToken`, which is a specific codepath used by git operations to check the permissions of an access token. For larger context on the usage and future incoming work, the description of #11311 can be referenced. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [ ] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. - As repo-specific access tokens are not exposed to end-users, this PR does not require release notes. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11452 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-05-12 22:10:25 +00:00 · 2026-02-28 18:00:23 +01:00 · 2026-02-28 18:00:23 +01:00 · f21955caa5
commit f21955caa5
parent 9c8ae0622f
3 changed files with 91 additions and 2 deletions
--- a/services/context/permission.go
+++ b/services/context/permission.go
@ -7,9 +7,11 @@ import (
 	"net/http"

 	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/perm"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
 	"forgejo.org/modules/log"
+	"forgejo.org/services/authz"
 )

 // RequireRepoAdmin returns a middleware for requiring repository admin permission
@ -159,4 +161,27 @@ func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_
 			return
 		}
 	}
+
+	reducer, ok := ctx.Data["ApiTokenReducer"].(authz.AuthorizationReducer)
+	if ok {
+		var accessMode perm.AccessMode
+		switch level {
+		case auth_model.Read:
+			accessMode = perm.AccessModeRead
+		case auth_model.Write:
+			accessMode = perm.AccessModeWrite
+		case auth_model.NoAccess:
+			fallthrough
+		default:
+			accessMode = perm.AccessModeNone
+		}
+		actualAccessMode, err := reducer.ReduceRepoAccess(ctx, repo, accessMode)
+		if err != nil {
+			ctx.ServerError("HasScope", err)
+			return
+		} else if actualAccessMode != accessMode {
+			ctx.Error(http.StatusForbidden)
+			return
+		}
+	}
 }