Token for trigger mirror-sync only

[wenerme]

• Gitea version (or commit ref): 1.14.0+dev-239-gad2a28862

• Git version: 1.14.0+dev

• Operating system: Linux/Docker

• Database (use [x]):

  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite

Description

User can read repo, but can not trigger https://git.my.org/api/v1/repos/my/repo/mirror-sync?token=$TOKEN, this is used in the webhook of other system like gitlab, github. Webhook is not hide in most system, this cause the owner's PAT is leaked to who can access the webhook, which is quite common allowed a lot user to access. Better to have a token only for mirror-sync or provide another webhook url which not require token.

BTW, gitlab has a lot token for various actions, like feed token or email token, this can prevent leak the pat.

[jolheiser]

I think this is closely enough related to #4300 to close this one in favor of the other with more details.