API: allow list collaborators for users with Read access to repo

[lkraider]

This is a request to allow org team users with read access to repos to get the list of collaborators via API from that repo.

Details below:

• Gitea version (or commit ref): 1.10.0

• Git version: 2.21

• Operating system: unix

• Database: any

• Can you reproduce the bug at https://try.gitea.io:

  • Yes (provide example URL)
    https://try.gitea.io/api/v1/repos/collabtest/collab/collaborators?access_token=8414c7516aa3fbbc64bab0686ca8fc05c6e0579c

• Log gist:

API response: 403 | Error: Forbidden

Description

A user with Read access to a repo is unable to GET the list of collaborators.

This request is required by the Gitea Jenkins Plugin to process the PRs automatically.

It is currently an open issue there as well: https://issues.jenkins-ci.org/browse/JENKINS-60017
Also related to this issue on Jenkins-X: jenkins-x/jx#432

[zeripath]

The problem lies here:

gitea/routers/api/v1/api.go

Lines 644 to 649 in f6067a8

	m.Group("/collaborators", func() {
	m.Get("", repo.ListCollaborators)
	m.Combo("/:collaborator").Get(repo.IsCollaborator).
	Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
	Delete(repo.DeleteCollaborator)
	}, reqToken(), reqAdmin())

The get collaborators list should be available to reporeaders I guess.

[davidsvantesson]

I think the reasoning for the access has been that in the UI only repo admin can see who is collaborator. But I think it would make sense other collaborators can see it.

I don't know why the Jenkins plugin need this information, but another problem is there is no option to include also team members with access in the API response.

[gruo]

In my opinion Jenkins queries the collaborators for determining trust of the particular PR of forks.

[keeakita]

FWIW for the Jenkins plugin, this can be "worked around" by granting admin permissions to the Gitea user that jenkins is authenticating as. But this is awkward to have a service user be so privileged.

Would it be possible to add a granular permission for listing collaborators? I can see in the UI when granting read permissions there are toggles for specific resources (wikis, issues, etc). It'd be nice to have an extra checkbox here for collaborators.

[guillep2k]

I agree with @davidsvantesson: "collaborators" is not even useful if the access is managed through teams. We should know more about this requirement and make a better suited solution. In the long term we should have profiles specifically designed for robots, plugins, etc. (e.g. read access to most of the info, write access to only a subset).

[lunny]

Didn't #9995 resolved this one?

[keeakita]

I'm not sure how version strings are managed, but on the latest Docker image with version string 1.12.0+dev-266-gd9de58bee, I can confirm that I'm now able to use the Jenkins plugin with a read-only user. So I believe #9995 did in fact fix this.

Though it may be worth keeping this issue open (or maybe opening a new one?) to track the long term work of rethinking how/why the plugin is listing collaborators in this way in the first place.

[guillep2k]

I'll close this for the time being. Feel free to reopen it if you find it's actually not fixed by 1.12.0. 😄