Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat: scope list_repositories to the authenticated user in service-PAT mode
docker / test (push) Successful in 28s
Details
docker / lint (push) Successful in 33s
Details
lint / lint (push) Successful in 35s
Details
test / test (push) Successful in 33s
Details
docker / docker-test (push) Successful in 10s
Details
docker / docker-publish (push) Successful in 6s
Details

Browse Source 
Previously list_repositories was blocked in service-PAT mode because it has no
repository target for the per-user permission check, so users could not list
their repositories at all (the connector surfaced a generic error).

list_repositories now returns only the repositories the signed-in user owns or
contributes to, instead of everything the bot token can see:
- gitea_client.py: add list_user_repositories(login) — resolves the user id and
  queries /api/v1/repos/search with the uid filter.
- repository.py: list_repositories_tool uses the user-scoped path when a service
  PAT is configured and a user login is present; pure-OAuth mode still uses the
  user's own /user/repos.
- server.py: allow list_repositories through the service-PAT guard (it is scoped
  to the user in the handler); all other tools still require a repository target.
- README.md: document the new user-scoped behavior and its visibility caveat.

Tests: user-scoped client method (uid resolution + unknown user), PAT-mode tool
scoping, and conftest now clears the request context between tests to prevent
contextvar login leakage across files.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Latte
2026-06-14 17:07:19 +02:00
parent 624a3c79ee
commit e873d0325b
7 changed files with 146 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/conftest.py
+3
View File
@@ -13,6 +13,7 @@ from aegis_gitea_mcp.oauth_flow import reset_oauth_client_registry
from aegis_gitea_mcp.observability import reset_metrics_registry
from aegis_gitea_mcp.policy import reset_policy_engine
from aegis_gitea_mcp.rate_limit import reset_rate_limiter
from aegis_gitea_mcp.request_context import clear_gitea_auth_context
from aegis_gitea_mcp.server import reset_repo_authz_cache
@@ -29,6 +30,7 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
reset_policy_engine()
reset_rate_limiter()
reset_metrics_registry()
clear_gitea_auth_context()
# Use temporary directory for audit logs in tests
audit_log_path = tmp_path / "audit.log"
@@ -46,6 +48,7 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
reset_policy_engine()
reset_rate_limiter()
reset_metrics_registry()
clear_gitea_auth_context()
@pytest.fixture