Remove "misc" scope check from public API endpoints (#26134)

Fix #26035

docs/content/doc/development/oauth2-provider.en-us.md

@@ -52,20 +52,20 @@ Gitea supports scoped access tokens, which allow users the ability to restrict t
 Gitea token scopes are as follows:
 
 | Name | Description                                                                                                                                          |
-| ---- |--------------------------------------------------------------------------------------------------------------------------------------------------|
+| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **(no scope)** | Not supported. A scope is required even for public repositories.                                                                                     |
 | **activitypub** | `activitypub` API routes: ActivityPub related operations.                                                                                            |
 |     **read:activitypub** | Grants read access for ActivityPub operations.                                                                                                       |
 |     **write:activitypub** | Grants read/write/delete access for ActivityPub operations.                                                                                          |
 | **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts).                                                          |
 |     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails.                                                        |
-|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                              |                                                         |
+|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                           |
 | **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations.                                                                         |
 |     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.                                         |
 |     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.           |
-| **misc** | miscellaneous and settings top-level API routes.                                                                                                 |
+| **misc** | Reserved for future usage.                                                                                                                           |
-|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates.                                                   |
+|     **read:misc** | Reserved for future usage.                                                                                                                           |
-|     **write:misc** | Grants read/write/delete access to miscellaneous operations, such as markup utility operations.                                                         |
+|     **write:misc** | Reserved for future usage.                                                                                                                           |
 | **notification** | `notification/*` API routes: user notification operations.                                                                                           |
 |     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.                            |
 |     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read.                                                        |

models/auth/token_scope.go

@@ -16,7 +16,7 @@ type AccessTokenScopeCategory int
 const (
 	AccessTokenScopeCategoryActivityPub = iota
 	AccessTokenScopeCategoryAdmin
-	AccessTokenScopeCategoryMisc
+	AccessTokenScopeCategoryMisc // WARN: this is now just a placeholder, don't remove it which will change the following values
 	AccessTokenScopeCategoryNotification
 	AccessTokenScopeCategoryOrganization
 	AccessTokenScopeCategoryPackage

routers/api/v1/api.go

@@ -751,7 +751,7 @@ func Routes() *web.Route {
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}
 
-		// Misc (requires 'misc' scope)
+		// Misc (public accessible)
 		m.Group("", func() {
 			m.Get("/version", misc.Version)
 			m.Get("/signing-key.gpg", misc.SigningKey)
@@ -771,7 +771,7 @@ func Routes() *web.Route {
 				m.Get("/attachment", settings.GetGeneralAttachmentSettings)
 				m.Get("/repository", settings.GetGeneralRepoSettings)
 			})
-		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryMisc))
+		})
 
 		// Notifications (requires 'notifications' scope)
 		m.Group("/notifications", func() {

tests/integration/api_token_test.go

@@ -141,26 +141,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/markdown",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
-		{
-			"/api/v1/markdown/raw",
-			"POST",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Write,
-				},
-			},
-		},
 		{
 			"/api/v1/notifications",
 			"GET",
@@ -347,16 +327,6 @@ func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
 				},
 			},
 		},
-		{
-			"/api/v1/settings/api",
-			"GET",
-			[]permission{
-				{
-					auth_model.AccessTokenScopeCategoryMisc,
-					auth_model.Read,
-				},
-			},
-		},
 		{
 			"/api/v1/user",
 			"GET",