I suppose you are not right,
if you use absolute path it means that the ‘git’ user has the shell access to the server and you will use ssh-key from ‘/home/git/.ssh/authorized_keys’ file instead of keys which is added to the gitea user profile via UI.
so then as a result you will be able to push inside not own repo
To clarify the SSH url: the stuff after the colon is for internal use in gitea. Gitea itself provides the mapping to the actual repository location.
So what you do when using the original path is bypassing gitea, which shouldn’t be possible at all!
One reason this happens is that you set your SSH key in the authorized_keys file yourself with e.g. ssh-copy-id. However that’s wrong and you should definitely let gitea handle this file.
Furthermore everytime a user adds an SSH key via gitea web-UI the authorized_keys file gets overwritten.
Another thing is that usually the user from the SSH url is git or whatever is configured in the app.ini and not the actual gitea-user itself.
The first thing you should try now is to go into the Admin settings on the gitea UI and execute:
Update the ‘.ssh/authorized_keys’ file with Gitea SSH keys. (Not needed for the built-in SSH server.)
Resynchronize pre-receive, update and post-receive hooks of all repositories.
After that you HAVE to set your SSH keys through gitea web-UI.