401 trying to access organization secrets/templates (gitea)

Fogapod · June 16, 2022, 8:58am

Unsure how to get drone version but I just pulled latest drone/drone:2 and issue persists there.
Gitea version: latest master.

I am getting blank white page trying to access organization secrets or templates from settings. In request log I see GET https://drone.my.domain/api/secrets/test → 401 (test is org name)
Response body: {"message":"Forbidden"}

I have admin rights for organization on gitea, tried doing this with multiple different organizations, result is the same. Tried pressing sync button, nothing changed. Organization secrets/templates settings work for personal repositories on gitea works.
I am gitea instance and organization admin

brad · June 20, 2022, 7:02pm

You’ll need to make sure you are a Drone admin
https://docs.drone.io/server/user/admin/

Fogapod · June 20, 2022, 7:16pm

from docs it seems like drone admin is something like system administrator? I just need permission to access organization secrets

Fogapod · June 20, 2022, 7:25pm

giving myself drone admin allowed me to access these but this sounds like something that should be accessible by git repository admins. am i misunderstanding something?

brad · June 20, 2022, 8:09pm

giving myself drone admin allowed me to access these but this sounds like something that should be accessible by git repository admins. am i misunderstanding something?

The ability to create / update / delete templates and organization secrets should only be available to organization admins.

However, the Gitea API does not return enough information to determine whether or not an individual has admin access to the organization [1]. Therefore, as a fallback to this missing information, Drone restricts the ability to create / update / delete templates and organization secrets to Drone admins.

The GitHub API does expose an individual user’s role in the organization, therefore, Drone is able to use the GitHub API to determine user access to templates and org secrets instead of restricting to Drone admins. If the Gitea API can be improved to more closely mirror the GitHub API [2] and to return the user role in the payload, we would be able to support using this information to govern access.

[1] https://try.gitea.io/api/swagger#/organization/orgIsMember
[2] https://docs.github.com/en/rest/orgs/members#get-organization-membership-for-a-user

Fogapod · June 20, 2022, 8:23pm

thanks for clarification. I’ll try reaching out to gitea devs and maybe file a feature request.
meanwhile i think drone could handle this situation better. it looks like 401 is completely unhanded and it breaks page resulting in blank white screen requiring pressing going to previous page and refreshing it

rodriciru · July 27, 2022, 1:05pm

Hi. That is correct. This endpoint is not giving enough info.
But this Gitea API has an isAdmin value.
You have to filter though all users but at least has this info available

UPDATE: this isAdmin is about site admin. Not organization admin, so my bad

But I found other API which has the data that we want: Gitea API

I’m not a Go dev, or know anything about it, so I can’t do it by my self, sorry

Shruthikini · September 29, 2022, 1:27pm

@rodriciru Glad that you figured it out. Feel free to ping us with any further questions.

Thanks!