fix: org metadata API endpoints should respect org visibility for unauthenticated requests #690

New Issue

Closed

opened 2026-06-21 23:14:31 +00:00 by jmiller · 0 comments

jmiller commented 2026-06-21 23:14:31 +00:00

Owner

Copy Link

Copy Source

Summary

The /orgs/{org}/issue-statuses, /orgs/{org}/issue-priorities, and /orgs/{org}/issue-types endpoints are accessible without authentication. For public orgs this is fine, but private org metadata (custom statuses, priorities, types) can be enumerated by unauthenticated users.

Fix

Add a visibility check in each handler: if the org is not public and the caller is not authenticated or not a member, return 404.

Files

• routers/api/v1/org/issue_metadata.go — add visibility check to ListIssueStatuses, ListIssuePriorities, ListIssueTypes

## Summary The `/orgs/{org}/issue-statuses`, `/orgs/{org}/issue-priorities`, and `/orgs/{org}/issue-types` endpoints are accessible without authentication. For public orgs this is fine, but private org metadata (custom statuses, priorities, types) can be enumerated by unauthenticated users. ## Fix Add a visibility check in each handler: if the org is not public and the caller is not authenticated or not a member, return 404. ## Files - `routers/api/v1/org/issue_metadata.go` — add visibility check to ListIssueStatuses, ListIssuePriorities, ListIssueTypes

jmiller referenced this issue from a commit 2026-06-21 23:17:04 +00:00

fix: org metadata API respects visibility for unauthenticated requests (#690)

jmiller closed this issue 2026-06-21 23:17:54 +00:00

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

feature: wiki

Wiki system enhancements

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels

Priority Medium

Type Feature

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#690