# Manual Setup via curl

Step-by-step commands for setting up read-only access manually.
Replace placeholders with your actual values.

## Variables

```bash
GITEA_API="https://git.example.com/api/v1"
OWNER="myuser"
OWNER_PASS="mypassword"
READER="myreader"
READER_PASS="readerpassword"
READER_EMAIL="myreader@noreply.local"
```

## 1. Create Reader Account

```bash
curl -X POST "$GITEA_API/admin/users" \
  -u "$OWNER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "'"$READER"'",
    "password": "'"$READER_PASS"'",
    "email": "'"$READER_EMAIL"'",
    "must_change_password": false,
    "visibility": "public"
  }'
```

Expected: HTTP 201

## 2. Activate Account

Some Gitea configurations require explicit activation:

```bash
curl -X PATCH "$GITEA_API/admin/users/$READER" \
  -u "$OWNER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d '{
    "active": true,
    "visibility": "public",
    "login_name": "'"$READER"'"
  }'
```

## 3. Create API Token

Authenticate as the reader to create a token with limited scope:

```bash
curl -X POST "$GITEA_API/users/$READER/tokens" \
  -u "$READER:$READER_PASS" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "installer-readonly",
    "scopes": ["read:repository"]
  }'
```

Response:
```json
{
  "id": 1,
  "name": "installer-readonly",
  "sha1": "abc123...",
  "token_last_eight": "abc12345"
}
```

Save the `sha1` value — it is only shown once.

## 4. Grant Access to a Repository

```bash
REPO="my-private-repo"

curl -X PUT "$GITEA_API/repos/$OWNER/$REPO/collaborators/$READER" \
  -u "$OWNER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d '{"permission": "read"}'
```

Expected: HTTP 204

## 5. Verify Access

With token (should work):
```bash
TOKEN="abc123..."

curl -H "Authorization: token $TOKEN" \
  "$GITEA_API/repos/$OWNER/$REPO"
```

Without token (should return 404 for private repo):
```bash
curl "$GITEA_API/repos/$OWNER/$REPO"
```

## 6. Clone with Token

```bash
git clone "https://$READER:$TOKEN@git.example.com/$OWNER/$REPO.git"
```

Or download a specific file:
```bash
curl -H "Authorization: token $TOKEN" \
  "$GITEA_API/repos/$OWNER/$REPO/raw/README.md"
```

## 7. Revoke Access

Remove from collaborators:
```bash
curl -X DELETE "$GITEA_API/repos/$OWNER/$REPO/collaborators/$READER" \
  -u "$OWNER:$OWNER_PASS"
```

## 8. Rotate Token

Delete old:
```bash
curl -X DELETE "$GITEA_API/users/$READER/tokens/installer-readonly" \
  -u "$READER:$READER_PASS"
```

Create new:
```bash
curl -X POST "$GITEA_API/users/$READER/tokens" \
  -u "$READER:$READER_PASS" \
  -H "Content-Type: application/json" \
  -d '{"name": "installer-readonly", "scopes": ["read:repository"]}'
```