kyush/forgejo
1
0
Fork 0
forked from mirrors/forgejo
Code Pull requests Activity

docs: add release notes for PR #11457

Browse source
This commit is contained in:
Mathieu Fenniak 2026-02-28 15:12:04 -07:00 committed by Mathieu Fenniak
commit e870b9cb74
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
release-notes/11457.md Normal file
View file

@ -0,0 +1,6 @@
Accessing the `/repositories/{id}` API with a public-only access token did not restrict read access to only public repositories, which is now prevented.
Accessing the `/repos/{owner}/{repo}/issues/{index}/dependencies` and `/repos/{owner}/{repo}/issues/{index}/blocks` APIs with a public-only access token had access to modification operations against private repositories in the *form* component of the API (not the URL component), which is now prevented.
Accessing the `/repos/{owner}/{repo}/issues/{index}/dependencies` and `/repos/{owner}/{repo}/issues/{index}/blocks` APIs with a public-only access token could view dependencies or blocking issues from private repositories, which is now prevented.
Accessing the `/repos/{owner}/{repo}/issues/{index}/timeline` API with a public-only access token could view comment cross-references from private repositories, which is now prevented.
Accessing the `/teams/{id}/repos/{org}/{repo}` API with a public-only access token could view private repositories assigned to a team, which is now prevented.
Access the watched repos and starred repos of a your own user through /user/subscriptions and /user/starred APIs with a public-only access token could view private repositories, which is now prevented.