Redesign Scoped Access Tokens

docs/content/doc/development/oauth2-provider.en-us.md

@@ -44,42 +44,53 @@ To use the Authorization Code Grant as a third party application it is required
 
 ## Scopes
 
-Gitea supports the following scopes for tokens:
+Gitea supports scoped access tokens, which allow users the ability to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:
+
+- `read`: `GET` routes
+- `write`: `POST`, `PUT`, and `PATCH` routes (in addition to `GET`)
+- `delete`: `DELETE` routes (in addition to `POST`, `PUT`, `PATCH` and `GET`)
+
+Gitea token scopes are as follows:
 
 | Name | Description |
 | ---- | ----------- |
-| **(no scope)** | Grants read-only access to public user profile and public repositories. |
-| **repo** | Full control over all repositories. |
-|     **repo:status** | Grants read/write access to commit status in all repositories. |
-|     **public_repo** | Grants read/write access to public repositories only. |
-| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
-|     **write:repo_hook** | Grants read/write access to repository hooks |
-|     **read:repo_hook** | Grants read-only access to repository hooks |
-| **admin:org** | Grants full access to organization settings |
-|     **write:org** | Grants read/write access to organization settings |
-|     **read:org** | Grants read-only access to organization settings |
-| **admin:public_key** | Grants full access for managing public keys |
-|     **write:public_key** | Grant read/write access to public keys |
-|     **read:public_key** | Grant read-only access to public keys |
-| **admin:org_hook** | Grants full access to organizational-level hooks |
-| **admin:user_hook** | Grants full access to user-level hooks |
-| **notification** | Grants full access to notifications |
-| **user** | Grants full access to user profile info |
-|     **read:user** | Grants read access to user's profile |
-|     **user:email** | Grants read access to user's email addresses |
-|     **user:follow** | Grants access to follow/un-follow a user |
-| **delete_repo** | Grants access to delete repositories as an admin |
-| **package** | Grants full access to hosted packages |
-|     **write:package** | Grants read/write access to packages |
-|     **read:package** | Grants read access to packages |
-|     **delete:package** | Grants delete access to packages |
-| **admin:gpg_key** | Grants full access for managing GPG keys |
-|     **write:gpg_key** | Grants read/write access to GPG keys |
-|     **read:gpg_key** | Grants read-only access to GPG keys |
-| **admin:application** | Grants full access to manage applications |
-|     **write:application** | Grants read/write access for managing applications |
-|     **read:application** | Grants read access for managing applications |
-| **sudo** | Allows to perform actions as the site admin. |
+| **(no scope)** | Not supported. A scope is required even for public repositories. |
+| **activitypub** |`activitypub` API routes: ActivityPub related operations. |
+|     **read:activitypub** | Grants read access for ActivityPub operations. |
+|     **write:activitypub** | Grants read/write access for ActivityPub operations. |
+|     **delete:activitypub** | Grants read/write/delete access for ActivityPub operations. Currently the same as `write:activitypub`. |
+| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts). |
+|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails. |
+|     **write:admin** | Grants read/write access for admin operations, such as running cron jobs or updating user accounts. |
+|     **delete:admin** | Grants read/write/delete access for admin operations, such as deleting user accounts. |
+| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations. |
+|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones. |
+|     **write:issue** | Grants read/write access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones. |
+|     **delete:issue** | Grants read/write/delete access for issues operations, such as deleting comments, labels or issue attachments. |
+| **misc** | miscellaneous and settings top-level API routes. |
+|     **read:misc** | Grants read access to miscellaneous operations, such as getting label and gitignore templates. |
+|     **write:misc** | Grants read/write access to miscellaneous operations, such as markup utility operations. |
+|     **delete:misc** | Grants read/write/delete access to miscellaneous operations. Currently the same as `write:misc`. |
+| **notification** | `notification/*` API routes: user notification operations. |
+|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications. |
+|     **write:notification** | Grants read/write access to user notifications, such as marking notifications as read. |
+|     **delete:notification** | Grants read/write/delete access to user notifications. Currently the same as `write:notification`. |
+| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations. |
+|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members. |
+|     **write:organization** | Grants read/write access to org and team status, such as creating and updating teams and updating org settings. |
+|     **delete:organization** | Grants read/write/delete access to org and team status, such as deleting teams and orgs. |
+| **package** | `/packages/*` API routes: Packages operations |
+|     **read:package** | Grants read access to package operations, such as reading and downloading available packages. |
+|     **write:package** | Grants read/write access to package operations. Currently the same as `read:package`. |
+|     **delete:package** | Grants read/write/delete access to package operations, such as deleting packages. |
+| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations. |
+|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators. |
+|     **write:repository** | Grants read/write access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
+|     **delete:repository** | Grants read/write/delete access to repository operations, such as getting deleting repository file, delete pull-request, removing collaborators. |
+| **user** | `/user/*` and `/users/*` API routes: User-related operations. |
+|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings. |
+|     **write:user** | Grants read/write access to user operations, such as updating user repo subscriptions, followed users, and user settings. |
+|     **delete:user** | Grants read/write/delete access to user operations, such as removing user repo subscriptions. |
 
 ## Client types
 

models/auth/token.go

@@ -112,6 +112,15 @@ func NewAccessToken(t *AccessToken) error {
 	return err
 }
 
+// DisplayPublicOnly whether to display this as a public-only token.
+func (t *AccessToken) DisplayPublicOnly() bool {
+	publicOnly, err := t.Scope.PublicOnly()
+	if err != nil {
+		return false
+	}
+	return publicOnly
+}
+
 func getAccessTokenIDFromCache(token string) int64 {
 	if successfulAccessTokenCache == nil {
 		return 0