chore(release-note): Fix bug when a token is given public only

This commit is contained in:
Earl Warren 2024-10-10 14:38:22 +03:00
parent a052d2b602
commit 9b63e3e88d
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

1
release-notes/5515.md Normal file
View file

@ -0,0 +1 @@
**Fixing this bug is a breaking change because existing tokens with a public scope will no longer return private resources. They have to be deleted and re-created without the public scope to restore their original behavior**. The public scope of an application token does not filter out private repositories, organizations or packages in some cases. This scope is not the default, it has to be manually set via the web UI or the API. When the public scope is explicitly added to an application token that is allowed to list the repositories and packages of a user or an organization, it is meant as a restriction. For instance if a user has two repositories, one private and the other publicly visible, a token with the public scope used with the API endpoint listing the repositories that belong to this user must only return the publicly visible one and not reveal the existence of the private one.