From 5bef06b5d2dc28628bfd5c6c537f560131373ba3 Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Wed, 3 Jun 2026 22:16:02 +0200
Subject: [PATCH] feat: restrict Gitea OIDC to activity users

---
 bincio/auth/routers/oidc.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bincio/auth/routers/oidc.py b/bincio/auth/routers/oidc.py
index 7eeb8e9..d74b566 100644
--- a/bincio/auth/routers/oidc.py
+++ b/bincio/auth/routers/oidc.py
@@ -112,6 +112,10 @@ async def authorize(
             status_code=302,
         )
 
+    # Per-client access control
+    if client_id == "gitea" and not user.activity_access:
+        return _err("access_denied", "Gitea access is restricted to activity users")
+
     # Issue authorization code
     code = create_oauth2_code(
         deps._get_db(),