/api/v1/orgs has become an authenticated endpoint with 0.19

[ianw]

Description

We have CI for https://opendev.org where we are testing our upgrade of 1.18.5 to 1.19.1 [1].

We found that one of our CI tasks that gets the orgs from api/v1/orgs started failing returning a 401.

I believe this is related to de484e8

It's not too hard to replicate this; as opendev.org is still on 1.18

$ curl https://opendev.org/api/v1/orgs
$ curl https://try.gitea.io/api/v1/orgs

The first returns json, the second not :) I'm not sure if this is intentional; it does seem like the public org listing probably doens't need to be an authenticated call?

[1] https://review.opendev.org/c/opendev/system-config/+/877541

Gitea Version

1.19.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Our gitea is built from upstream into a container

Database

None

[wxiaoguang]

Related to #20908

// old
		m.Get("/orgs", org.GetAll)
// new
		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

And it seems that not only this one, many other end-points also have similar changes.

@harryzcy do you have ideas about how to make them more correct?

[harryzcy]

@wxiaoguang If it should be public, then reqToken call should be removed. If it should require a token but doesn't require any specific scope, reqToken("") should be used.