1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-30 09:41:11 -05:00
Commit graph

16177 commits

Author SHA1 Message Date
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Earl Warren
3759c1a7c1
[SEMVER] 5.0.5+0-gitea-1.20.5 2023-10-03 14:49:26 +02:00
Lunny Xiao
4b23f11864
Fix bug of review request number (#27406)
Manually backport #27104 without tests because too many conflicted files
to backport it completely.

(cherry picked from commit 5c96a2be87)
2023-10-03 14:48:40 +02:00
Giteabot
4c21b82e18
Fix git 2.11 error when checking IsEmpty (#27393) (#27396)
Backport #27393 by @wxiaoguang

Fix #27389

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit acedf0f702)
2023-10-03 14:48:40 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot
5e2d16de0e
Add logs for data broken of comment review (#27326) (#27344)
Backport #27326 by @lunny

Fix #27306

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit b6b71c78c4)
2023-10-03 14:48:40 +02:00
Giteabot
101cfc1f82
fix orphan check for deleted branch (#27310) (#27320)
Backport #27310 by @earl-warren

- Modify the deleted branch orphan check to check for the new table
instead.
- Regression from 6e19484f4d
- Resolves https://codeberg.org/forgejo/forgejo/issues/1522

(cherry picked from commit c1d888686f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 2138661dae)
2023-10-03 14:48:40 +02:00
Giteabot
fa5c61cab7
Fix PushEvent NullPointerException jenkinsci/github-plugin (#27203) (#27249)
Backport #27203 by @Nabapadma-sarker

Fixes #27202

Co-authored-by: Nabapadma-sarker <nabapadmacse1991@gmail.com>
(cherry picked from commit 4b37eb2c23)
2023-10-03 14:48:40 +02:00
Giteabot
ab9b1b850b
Fix z-index on markdown completion (#27237) (#27238)
Backport #27237 by @silverwind

Fixes: https://github.com/go-gitea/gitea/issues/27230

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit dd44c2164e)
2023-10-03 14:48:18 +02:00
Giteabot
c590235171
Update database-preparation and add note re: MariaDB (#27232) (#27235)
Backport #27232 by @techknowlogick

update DB docs per feedback.
https://gitea.com/gitea/gitea-docusaurus/issues/69

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
(cherry picked from commit 2604571993)
2023-10-03 14:48:18 +02:00
KN4CK3R
13423d6eda
Quote table release in sql queries (#27205) (#27219)
Backport of #27205

Fixes #27174

`release` is a reserved keyword in MySql. I can't reproduce the issue on
my setup and we have a test for that code but it seems there can be
setups where it fails.

(cherry picked from commit eae6985b63)
2023-10-03 14:48:18 +02:00
Giteabot
1b1f878204
Fix release URL in webhooks (#27182) (#27184)
Backport #27182 by @jolheiser

Resolves #27180

`URL` points to the API URL, `HTMLURL` points to the web page.

Notably, however, for PRs they are the same URL. I switched them to use
HTMLURL to match the rest of the codebase terminology.

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit d8583edfe7)
2023-10-03 14:48:18 +02:00
Giteabot
f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112)
2023-10-03 14:48:08 +02:00
Giteabot
dc6020645b
Fix successful return value for SyncAndGetUserSpecificDiff (#27152) (#27156)
Backport #27152 by @delvh

A function should not return an error when it is successful.
Otherwise, things like
https://discord.com/channels/322538954119184384/322538954119184384/1153705341620600833
happen…

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 25233a9bdc)
2023-10-03 14:48:08 +02:00
Earl Warren
99a93025d2
[SEMVER] 5.0.4+0-gitea-1.20.4 2023-09-20 12:51:52 +02:00
Giteabot
0d86ea0c43
Improve actions docs related to pull_request event (#27126) (#27145)
Backport #27126 by @Zettat123

Related to #27039

The `ref` property in Gitea Actions is different from GitHub Actions.
This PR improves the documentation to explain the difference.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 7a99c7b83c)
2023-09-20 12:50:46 +02:00
Giteabot
c041114a20
fix pagination for followers and following (#27127) (#27138)
Backport #27127 by @earl-warren

- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1477

(cherry picked from commit c1a136318b)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58)
2023-09-20 12:50:46 +02:00
Giteabot
f54189092f
services/wiki: Close() after error handling (#27129) (#27137)
Backport #27129 by @earl-warren

Refs: https://codeberg.org/forgejo/forgejo/pulls/1385

Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>
(cherry picked from commit 589e7d346f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Lars Lehtonen <lars.lehtonen@gmail.com>
(cherry picked from commit 882e465c3a)
2023-09-20 12:50:46 +02:00
Giteabot
64a418dfc7
Fix issue templates when blank isses are disabled (#27061) (#27082)
Backport #27061 by @JakobDev

Fixes #27060

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit b139234fa8)
2023-09-20 12:50:46 +02:00
sebastian-sauer
3ea5384241
Load reviewer before sending notification (#27063) (#27064)
Fixes #27035

(cherry picked from commit d8b39324d7)
2023-09-20 12:50:46 +02:00
Lunny Xiao
745b45406d
Fix context cache bug & enable context cache for dashabord commits' authors(#26991) (#27017)
backport #26991

Unfortunately, when a system setting hasn't been stored in the database,
it cannot be cached.
Meanwhile, this PR also uses context cache for push email avatar display
which should avoid to read user table via email address again and again.

According to my local test, this should reduce dashboard elapsed time
from 150ms -> 80ms .

(cherry picked from commit 9df573bddc)
2023-09-20 12:50:46 +02:00
wxiaoguang
8f6d442a04
Use secure cookie for HTTPS sites (#26999) (#27013)
Backport #26999

If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's
default value should be true.

And, if a user visits an "http" site with "https" AppURL, they won't be
able to login, and they should have been warned. The only problem is
that the "language" can't be set either in such case, while I think it
is not a serious problem, and it could be fixed easily if needed.

(cherry picked from commit b0a405c5fa)
2023-09-20 12:50:46 +02:00
Infinoid
2e9fa11bb3
Correct the database.LOG_SQL default value in config cheat sheet (#26997) (#27002)
This is a manual backport of #26997 to v1.20.

(cherry picked from commit 3c53740244)
2023-09-20 12:50:46 +02:00
Giteabot
957a64d91a
Fix INI parsing for value with trailing slash (#26995) (#27001)
Backport #26995 by @wxiaoguang

Fix #26977 (a temp fix)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit da7d7e60d8)
2023-09-20 12:50:46 +02:00
Lunny Xiao
56a17f3565
Fix changelog typo (#26973)
(cherry picked from commit e502be46f3)
2023-09-20 12:50:46 +02:00
Gusted
4b9a473e12
[GITEA] Use restricted sanitizer for repository description
- Backport of https://codeberg.org/forgejo/forgejo/pulls/1433
  - Currently the repository description uses the same sanitizer as a
normal markdown document. This means that element such as heading and
images are allowed and can be abused.
  - Create a minimal restricted sanitizer for the repository description,
which only allows what the postprocessor currently allows, which are
links and emojis.
  - Added unit testing.
  - Resolves https://codeberg.org/forgejo/forgejo/issues/1202
  - Resolves https://codeberg.org/Codeberg/Community/issues/1122

(cherry picked from commit a8afa4cd18)
2023-09-13 17:17:37 +02:00
Earl Warren
5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
Earl Warren
b63df8b5c4
[SEMVER] 5.0.3+0-gitea-1.20.4 2023-09-08 09:36:09 +02:00
techknowlogick
11af4c9aad
1.20.4 changelog (#26966)
(cherry picked from commit 4a886de71e)
2023-09-08 08:10:08 +02:00
techknowlogick
052c83393f
Improve LDAP group config documentation (#21227) (#26921)
backport #21227

author @svenseeberg

Co-authored-by: Sven Seeberg <mail@sven-seeberg.de>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit b6fd1e48c0)
2023-09-08 08:10:08 +02:00
Giteabot
e25033ef8a
Update documents to fix some links (#26885) (#26888)
Backport #26885 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9f14b2173a)
2023-09-08 08:09:18 +02:00
CaiCandong
f34f2c3141
Update docs about attachment path (#26883) (#26884)
Backport #26883
This change was caused by #26271, for configuration as below:
```
[attachment]
ENABLE = true
PATH = data/attachments
MAX_SIZE = 100
MAX_FILES = 5
```
Before #26271, the resolved path is ${AppWorkPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/attachments`)
After #26271, the resolved path is ${AppDataPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/data/attachments`)

Fix https://github.com/go-gitea/gitea/issues/26864 Follow
https://github.com/go-gitea/gitea/pull/26271

(cherry picked from commit e15794f62f)
2023-09-08 08:09:18 +02:00
Giteabot
4df75c254f
Fix wrong review requested number (#26784) (#26880)
Backport #26784 by @lng2020

Fix the wrong review requested number mentioned by #18808 .
Fix #18808
Before:

![ksnip_20230829-140750](https://github.com/go-gitea/gitea/assets/70063547/0af2055b-6f16-4699-a944-c7186831d7f9)
After:

![ksnip_20230829-141817](https://github.com/go-gitea/gitea/assets/70063547/16633264-20ba-45e3-bfbb-a495ed76a45b)

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 2a184796b5)
2023-09-08 08:09:18 +02:00
Giteabot
1689b3da55
Redirect from {repo}/issues/new to {repo}/issues/new/choose when blank issues are disabled (#26813) (#26847)
Backport #26813 by @JakobDev

You can currently visit `{repo}/issues/new` and create a blank issue,
even if it's disabled. This PR fixes this,

Fixes https://codeberg.org/forgejo/forgejo/issues/1356

Co-authored-by: JakobDev <jakobdev@gmx.de>
(cherry picked from commit 2cfabb68ff)
2023-09-08 08:09:18 +02:00
wxiaoguang
9c0380fe84
Avoid double-unescaping of form value (#26853) (#26863)
Backport #26853

The old `prepareQueryArg` did double-unescaping of form value.

(cherry picked from commit e8da63c24e)
2023-09-08 08:09:18 +02:00
Giteabot
193e04c43b
Fix verifyCommits error when push a new branch (#26664) (#26810)
Backport #26664 by @CaiCandong

> ### Description
> If a new branch is pushed, and the repository has a rule that would
require signed commits for the new branch, the commit is rejected with a
500 error regardless of whether it's signed.
>
> When pushing a new branch, the "old" commit is the empty ID
(0000000000000000000000000000000000000000). verifyCommits has no
provision for this and passes an invalid commit range to git rev-list.
Prior to 1.19 this wasn't an issue because only pre-existing individual
branches could be protected.
>
> I was able to reproduce with
[try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test),
which is set up with a blanket rule to require commits on all branches.

Fix #25565
Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting
an valid solution!

Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 93c36f395c)
2023-09-08 08:09:18 +02:00
Giteabot
6b5ef0fad7
Sync tags when adopting repos (#26816) (#26834)
Backport #26816 by @Zettat123

Fixes #26138

Sync the tags into database when adopting repos

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 302c03c4a9)
2023-09-08 08:09:18 +02:00
Giteabot
d5845521a8
check blocklist for emails when adding them to account (#26812) (#26831)
Backport #26812 by @techknowlogick

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
(cherry picked from commit 41bae29f84)
2023-09-08 08:09:18 +02:00
yp05327
a6c2201dd4
Fix context filter has no effect in dashboard (#26695) (#26811)
Backport #26695

(cherry picked from commit c72f6067b3)
2023-09-08 08:09:18 +02:00
js6pak
833cf722ab
Include the GITHUB_TOKEN/GITEA_TOKEN secret for fork pull requests (#26759) (#26806)
Backport #26759

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 54cc459ea8)
2023-09-08 08:09:18 +02:00
Giteabot
0b1175f21b
Add fix incorrect can_create_org_repo for org owner team (#26683) (#26791)
Backport #26683 by @yp05327

Related to: #8312 #26491

In migration v109, we only added a new column `CanCreateOrgRepo` in Team
table, but not initial the value of it.
This may cause bug like #26491.

Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit c3d323fd85)
2023-09-08 08:09:18 +02:00
Giteabot
4d2b4008d3
Fix some slice append usages (#26778) (#26798)
Backport #26778 by @harryzcy

Co-authored-by: Chongyi Zheng <git@zcy.dev>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 4013f3f600)
2023-09-08 08:09:18 +02:00
Giteabot
1d228e6ee9
Fix being unable to use a repo that prohibits accepting PRs as a PR source. (#26785) (#26790)
Backport #26785 by @CaiCandong

## Description
Sometimes, we need to use an upstream mirror repository to update the
current development repository, but mirror repositories are prohibited
from PR. It should not appear in `merge to,` but it can appear in `pull
from.`
Fix #24585 #26193 #26781
Related #24183

Many thanks to @apnote  for assisting me in reproducing this bug!

## ScreenShot
---
### Before

<img
src="https://github.com/go-gitea/gitea/assets/50507092/3d76c376-1f54-45b9-80c9-6ba8319d6a9a"
width="400px">

<img
src="https://github.com/go-gitea/gitea/assets/50507092/fbfd9f7f-421f-4a2e-9a3e-f2958bbf3312"
width="400px">

### After

<img
src="https://github.com/go-gitea/gitea/assets/50507092/e6984524-4f61-4310-b795-4d8598bd8963"
width="400px">

<img
src="https://github.com/go-gitea/gitea/assets/50507092/04065b44-78d7-4721-bf31-0f1674150727"
width="400px">

Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com>
(cherry picked from commit 3bab20491e)
2023-09-08 08:09:18 +02:00
xpume
53e4f672a3
Fix Page Not Found error (#26768)
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit c8b189eb01)
2023-09-08 08:07:19 +02:00
Lunny Xiao
bb84b7565f
Fix bug for ctx usage (#26763)
Fix #26684
Backport #26762

(cherry picked from commit a1cec4141e)
2023-09-08 08:07:19 +02:00
wxiaoguang
66016b3fe3
Fix incorrect "tabindex" attributes (#26733) (#26734)
Backport #26733 manually

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 307ee2c044)
2023-09-08 08:07:19 +02:00
Giteabot
d7aa9fc964
Fix link in mirror docs (#26719) (#26732)
Backport #26719 by @silverwind

Fix hash fragment in this link

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 2f6c0e6596)
2023-09-08 08:07:19 +02:00
Giteabot
c407810217
Add matrix to support (#26382) (#26722)
Backport #26382 by @jolheiser

This PR adds our matrix space to the support options and alphabetizes
the list.

I also considered adding our Mastodon, however that isn't as suitable as
the other options because it's just whoever has access to the account vs
a community chat/forum.

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit e6173acac9)
2023-09-08 08:07:19 +02:00
Giteabot
560ff3ea36
Make issue template field template access correct template data (#26698) (#26709)
Backport #26698 by @wxiaoguang

Regression of #23092, the `{{$field := .}}` was missing during that
refactoring.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 4af872178e)
2023-09-08 08:07:19 +02:00
wxiaoguang
4da20765e8
Backport line height fix (#26708)
Backport the `line-height: normal`, because #26520 was backported

(cherry picked from commit 508c624e99)
2023-09-08 08:07:19 +02:00