When logging in from https://diday.org/admin/ via forgejo the following message is shown to the user:
Authorize "diday.org CMS" to access your account?
If you grant access, it will be able to access and write to all your account information, including private repos and organizations.
This application was created by @DI-Day.
With scopes: repository.
This is needed at least one time if the websites repo has not yet been forked to the users forgejo-account.
There is a active and as it seems near to finished issue about this in forgejo repo: forgejo/forgejo#4052. The main problem is, that fine-grained access-control for OAuth-apps has not yet been implemented as it is for AccessTokens.
From the discussion in that issue and from https://forgejo.org/docs/next/user/token-scope/#public-only i get the impression that setting scopes in the OAuth request to forgejo is already implemented but lacks a UI.
For example replacing the scope parameter in the request from https://diday.org/admin/ which initially looks sth like this:
https://codeberg.org/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fdiday.org%2Fadmin%2F&response_type=code&scope=repository&state=%7B%22auth_type%22%3A%22pkce%22%2C%22nonce%22%3A%22...
to
https://codeberg.org/login/oauth/authorize?client_id=...scope=only-public...
also leads to a successful login. However, i am not sure if it really has the desired effect of at least only granting the CMS only access to public repos. But i guess if it is implemented it should 🙃?
I think we should monitor the progress in forgejo/forgejo#4052 or eventually get involved. But i haven't done anything in Go yet.
When logging in from https://diday.org/admin/ via forgejo the following message is shown to the user:
> Authorize "diday.org CMS" to access your account?
> If you grant access, it will be able to access and write to all your account information, including private repos and organizations.
This application was created by @DI-Day.
> With scopes: repository.
This is needed at least one time if the websites repo has not yet been forked to the users forgejo-account.
There is a active and as it seems near to finished issue about this in forgejo repo: https://codeberg.org/forgejo/forgejo/issues/4052. The main problem is, that fine-grained access-control for OAuth-apps has not yet been implemented as it is for AccessTokens.
From the discussion in that issue and from https://forgejo.org/docs/next/user/token-scope/#public-only i get the impression that setting scopes in the OAuth request to forgejo is already implemented but lacks a UI.
For example replacing the `scope` parameter in the request from https://diday.org/admin/ which initially looks sth like this:
`https://codeberg.org/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fdiday.org%2Fadmin%2F&response_type=code&scope=repository&state=%7B%22auth_type%22%3A%22pkce%22%2C%22nonce%22%3A%22...`
to
`https://codeberg.org/login/oauth/authorize?client_id=...scope=only-public...`
also leads to a successful login. However, i am not sure if it really has the desired effect of at least only granting the CMS only access to public repos. But i guess if it is implemented it should 🙃?
I think we should monitor the progress in https://codeberg.org/forgejo/forgejo/issues/4052 or eventually get involved. But i haven't done anything in Go yet.