sleepy/forgejo
1
0
Fork
You've already forked forgejo
 0
Code Issues 562 Pull requests Projects Releases Packages Wiki Activity Actions 3

problem: /api/v1/repos/{owner}/{repo}/branch_protections responses with 403 for public-only key #12397

New issue
Open
opened 2026-05-03 13:55:39 +02:00 by Maks1mS · 1 comment
Maks1mS commented 2026-05-03 13:55:39 +02:00 (Migrated from codeberg.org)
Copy link

Does your problem still exist on the latest Forgejo version?

Yes, the problem still exists (tested on a next instance)

About your usage of Forgejo

n/a

Problem description

Steps to reproduce:

  1. Create public repository.
  2. Create access token with public only token with write:repository.
  3. Go to /api/swagger#/repository/repoCreateBranchProtection and send request (after logging in with a token). The body can be empty in JSON format, it doesn't matter.

Expected:

  • the error is not 403

Actual:

  • the error is 403 (user should be an owner or a collaborator with admin write of a repository)

It looks like a regression, because I used v11 earlier and there were no problems.

Potential workarounds

Use access token with All (public, private, and limited) option.

Forgejo Version

16.0.0-dev-218-b6658076a9+gitea-1.22.0

Other details about your environment (software names and versions)

n/a

Solutions

Accepted solutions to address this problem will go here

### Does your problem still exist on the latest Forgejo version? Yes, the problem still exists (tested on a next instance) ### About your usage of Forgejo n/a ### Problem description Steps to reproduce: 1. Create public repository. 2. Create access token with public only token with `write:repository`. 3. Go to [`/api/swagger#/repository/repoCreateBranchProtection`](https://v16.next.forgejo.org/api/swagger#/repository/repoCreateBranchProtection) and send request (after logging in with a token). The body can be empty in JSON format, it doesn't matter. Expected: - the error is not 403 Actual: - the error is 403 (`user should be an owner or a collaborator with admin write of a repository`) It looks like a regression, because I used v11 earlier and there were no problems. ### Potential workarounds Use access token with `All (public, private, and limited)` option. ### Forgejo Version 16.0.0-dev-218-b6658076a9+gitea-1.22.0 ### Other details about your environment (software names and versions) n/a ### Solutions *Accepted solutions to address this problem will go here*
mfenniak commented 2026-05-04 05:46:27 +02:00 (Migrated from codeberg.org)
Copy link

It is noted in Forgejo 15's release notes that there is a breaking change, "remove admin-level permissions from repo-specific & public-only access tokens" (#11468). Changing branch protection rules on a repository requires repository admin access, which is why it has been affected by this breaking change -- and that is one of the APIs described in the details noted in #11468.

Please review the explanation in #11468. The logic behind this change is open for debate and discussion, and within this larger context of related changes, I'd be open to discussing how these changes could be made in a logical and secure way.

It is noted in Forgejo 15's release notes that there is a breaking change, "remove admin-level permissions from repo-specific & public-only access tokens" (#11468). Changing branch protection rules on a repository requires repository admin access, which is why it has been affected by this breaking change -- and that is one of the APIs described in the details noted in #11468. Please review the explanation in #11468. The logic behind this change is open for debate and discussion, and within this larger context of related changes, I'd be open to discussing how these changes could be made in a logical and secure way.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
forgejo
bp-v15.0/forgejo-49f9cc7
v15.0/forgejo
v11.0/forgejo
renovate/forgejo-postcss
renovate/forgejo-github.com-fsnotify-fsnotify-1.x
renovate/forgejo-github.com-alecthomas-chroma-v2-2.x
renovate/forgejo-github.com-go-webauthn-webauthn-0.x
v14.0/forgejo
bp-v15.0/forgejo-2176403
bp-v14.0/forgejo-9767ceb
bp-v14.0/forgejo-d996dfb
v13.0/forgejo
bp-v13.0/forgejo-dc0a63e
bp-v13.0/forgejo-e7ef2eb
v12.0/forgejo
bp-v12.0/forgejo-cf1fda8-a511e37
bp-v11.0/forgejo-b52cec7
v7.0/forgejo
v10.0/forgejo
v9.0/forgejo
v8.0/forgejo
v1.21/forgejo
v1.20/forgejo
v1.19/forgejo
v1.18/forgejo
v1.17/forgejo
v14.0.5
v15.0.1
v11.0.13
v15.0.0
v14.0.4
v11.0.12
v16.0.0-dev
v14.0.3
v11.0.11
v14.0.2
v14.0.1
v13.0.5
v11.0.10
v14.0.0
v13.0.4
v11.0.9
v15.0.0-dev
v13.0.3
v11.0.8
v11.0.7
v13.0.2
v13.0.1
v13.0.0
v14.0.0-dev
v11.0.6
v12.0.4
v12.0.3
v11.0.5
v11.0.4
v12.0.2
v12.0.1
v12.0.0
v7.0.16
v11.0.3
v13.0.0-dev
v11.0.2
v7.0.15
v11.0.1
v11.0.0
v12.0.0-dev
v10.0.3
v10.0.2
v7.0.14
v7.0.13
v10.0.1
v10.0.0
v11.0.0-dev
v9.0.3
v7.0.12
v7.0.11
v9.0.2
v9.0.1
v7.0.10
v9.0.0
v10.0.0-dev
v8.0.3
v7.0.9
v8.0.2
v7.0.8
v8.0.1
v7.0.7
v7.0.6
v8.0.0
v9.0.0-dev
v7.0.5
v1.21.11-2
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v1.21.11-1
v1.21.11-0
v1.21.10-0
v8.0.0-dev
v1.21.8-0
v1.21.7-0
v1.21.6-0
v1.21.5-0
v1.21.4-0
v1.21.3-0
v1.20.6-1
v1.21.2-1
v1.21.2-0
v1.21.1-0
v1.20.6-0
v1.20.5-1
v1.21.0-rc2
v1.21.0-rc1
v1.20.5-0
v7.0.0-dev
v1.21.0-rc0
v1.20.4-1
v1.20.4-0
v1.20.3-0
v1.20.2-0
v1.20.1-0
v1.20.0
v1.19.4-0
v1.21.0-dev
v1.20.0-rc2
v1.19.3-0
v1.19.2-0
v1.19.1-0
v1.19.0-3
v1.19.0-2
v1.18.5-0
v1.20.0-dev
v1.19.0-rc0
v1.18.3-2
v1.18.3-1
v1.18.3-0
v1.18.2-1
v1.18.2-0
v1.18.1-0
v1.18.0-1
v1.18.0-0
v1.18.0-rc1-2
v1.18.0-rc1-1
v1.18.0-rc1
v1.18.0-rc0
v1.19.0-dev
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
sleepy/forgejo#12397
No description provided.