Files
plane/apps
Manish Gupta 3daec9476b fix(security): add read:user scope to Gitea; fail-closed on absent Google verified_email
Gitea's /api/v1/user/emails endpoint requires the read:user granular
scope — openid+email+profile alone is insufficient and __get_email()
would return a 401/403. Add read:user to the scope string.

Google: change default from True to fail-closed (is not True) so a
userinfo response that omits verified_email is rejected rather than
trusted. The service-account justification was incorrect — service
accounts do not go through the interactive OAuth2 callback flow.

Co-authored-by: Plane AI <noreply@plane.so>
2026-06-24 12:47:16 +05:30
..