Skip to content

X-Total-Count on /orgs/{org}/repos?page=... API endpoint wrong #34437

New issue
New issue
Open
Open
X-Total-Count on /orgs/{org}/repos?page=... API endpoint wrong#34437
Labels
type/bug
@splitt3r

Description

@splitt3r
splitt3r
opened on May 12, 2025

Description

On /orgs/{org}/repos the total count header can be wron if the user can not see some of the orgs repos. Also the limit parameter can be wrong too in that situation.

Steps to reproduce:

  • Request to /orgs/{org}/repos?page=...
  • the header X-Total-Count says there are 100 repos
    • on page 10 there is a repo i'm not allowed to see so this page returns only limit -1 repos which is strange
    • and the total count is also wrong because i can only see 99 repos
  • and now i know that there is one repo i can't see which is also problematic security wise

gitea/routers/api/v1/user/repo.go

Lines 50 to 52 in 355e9a9

ctx.SetLinkHeader(int(count), opts.PageSize)
ctx.SetTotalCountHeader(count)
ctx.JSON(http.StatusOK, &apiRepos)

The initial array is counted. But it should return the count of apiRepos which is the filtered list of repos.

Gitea Version

v1.23.7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu

How are you running Gitea?

Ubuntu package installation

Database

MySQL/MariaDB

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions