Safely expose raw files and diffs to 3rd pary services

There’s an API method called get_repo_nodes that allows to fetch all nodes with it’s content via API. However there’s no call to direct file available. A better method is to expose the auth_token functionality for web interface.

Then for example fetching any file is possible by doing following call:


This functionality is disabled by default. You need to do the following things to make it work:

  • inside .ini file configuration api_access_controllers_whitelist:
api_access_controllers_whitelist =

This allows direct access via special tokens to raw files, raw diffs patches, and also beeing able to fetch whole repository archive.

Then for an user that has access to particular repository you need to generate special auth-token with http/web interface role. Only this type of token allows to access web-interface pages. Then the above curl (or wget) example should work.