/api/v1/version should not give 403 for authenticated users/tokens

[rgl]

Description

Before gitea 1.20.0, a token with the repo scope could access the /api/v1/version endpoint.

In gitea 1.20.0, a token with the write:repository scope cannot access the /api/v1/version endpoint.

Here's the partial bash script that I've used to create the token and test it:

# see https://try.gitea.io/api/swagger#/user/userCreateToken
echo "Creating Gitea $RENOVATE_USERNAME user personal access token..."
curl \
    --silent \
    --show-error \
    --fail-with-body \
    -u "$RENOVATE_USERNAME:$RENOVATE_PASSWORD" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"name": "renovate", "scopes": ["write:repository"]}' \
    "$gitea_url/api/v1/users/$RENOVATE_USERNAME/tokens" \
    | jq -r .sha1 \
    >tmp/renovate-gitea-token.txt

# try the token.
echo "Trying the Gitea $RENOVATE_USERNAME user personal access token..."
RENOVATE_TOKEN="$(cat tmp/renovate-gitea-token.txt)"
export RENOVATE_TOKEN
curl \
    -s \
    --silent \
    --show-error \
    --fail-with-body \
    -H "Authorization: token $RENOVATE_TOKEN" \
    -H 'Accept: application/json' \
    "$gitea_url/api/v1/version" \
    | jq \
    > /dev/null

Gitea Version

1.20.0

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

In docker, as configured in the first part of the bash script at https://github.com/rgl/my-ubuntu-ansible-playbooks/blob/main/renovate.sh

Database

SQLite

[wxiaoguang]

It seems that it's related to my (unresolved) review comment:

#24767 (review)

If I understand correctly, /version could always be accessed without a token (it doesn't really require the misc scope token).

But .... if it is accessed by a token without "misc" scope, then it becomes inaccessible? It really looks strange.