diff --git a/user/index.md b/user/index.md index 0f874ef0..75c6bd38 100644 --- a/user/index.md +++ b/user/index.md @@ -30,11 +30,12 @@ involved in running it on their machines. - [Issue and Pull Request Templates](issue-pull-request-templates) - [Actions](actions) - [Merge Message templates](merge-message-templates) - - [Generating an Access Token](https://docs.codeberg.org/advanced/access-token/) - [Webhooks](webhooks) - Authentication + - [Generating an Access Token](https://docs.codeberg.org/advanced/access-token/) + - [Access Token scope](token-scope) - [LDAP, PAM, FreeIPA](authentication) - - [OAuth2, Scoped Tokens, Client Types](oauth2-provider) + - [OAuth2, Client Types](oauth2-provider) - [Semantic version](semver) - [API Usage](api-usage) - [API Reference](https://codeberg.org/api/swagger) diff --git a/user/oauth2-provider.md b/user/oauth2-provider.md index c2d103b0..08ceba29 100644 --- a/user/oauth2-provider.md +++ b/user/oauth2-provider.md @@ -28,43 +28,7 @@ To use the Authorization Code Grant as a third party application it is required ## Scoped Tokens -Forgejo supports scoped access tokens, which allow users to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following: - -- `read`: `GET` routes -- `write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`) - -Forgejo token scopes are as follows: - -| Name | Description | -| ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| **(no scope)** | Not supported. A scope is required even for public repositories. | -| **activitypub** | `activitypub` API routes: ActivityPub related operations. | -|     **read:activitypub** | Grants read access for ActivityPub operations. | -|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | -| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | -|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | -|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | -| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | -|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | -|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | -| **misc** | miscellaneous and settings top-level API routes. | -|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. | -|     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. | -| **notification** | `notification/*` API routes: user notification operations. | -|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | -|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | -| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | -|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | -|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | -| **package** | `/packages/*` API routes: Packages operations | -|     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | -|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | -| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | -|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | -|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | -| **user** | `/user/*` and `/users/*` API routes: User-related operations. | -|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | -|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. | +See the [Access Token scope](../token-scope) section for more information. ## Client types diff --git a/user/token-scope.md b/user/token-scope.md new file mode 100644 index 00000000..79c647f4 --- /dev/null +++ b/user/token-scope.md @@ -0,0 +1,44 @@ +--- +layout: '~/layouts/Markdown.astro' +title: 'Access Token scope' +license: 'Apache-2.0' +origin_url: 'https://github.com/go-gitea/gitea/blob/62ac3251fa545d32bdfc9ff824106b97ec63edbb/docs/content/doc/development/oauth2-provider.en-us.md' +--- + +Forgejo supports scoped access tokens, which allow users to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following: + +- `read`: `GET` routes +- `write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`) + +Forgejo token scopes are as follows: + +| Name | Description | +| ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| **(no scope)** | Not supported. A scope is required even for public repositories. | +| **activitypub** | `activitypub` API routes: ActivityPub related operations. | +|     **read:activitypub** | Grants read access for ActivityPub operations. | +|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations. | +| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). | +|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. | +|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts. | +| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. | +|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. | +|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. | +| **misc** | miscellaneous and settings top-level API routes. | +|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. | +|     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations. | +| **notification** | `notification/*` API routes: user notification operations. | +|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. | +|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read. | +| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. | +|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. | +|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings. | +| **package** | `/packages/*` API routes: Packages operations | +|     **read:package** | Grants read access to package operations, such as reading and downloading available packages. | +|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`. | +| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. | +|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. | +|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. | +| **user** | `/user/*` and `/users/*` API routes: User-related operations. | +|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. | +|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings. |