- The transaction in combination with Git push was causing deadlocks if
you had the `push_update` queue set to `immediate`. This was the root
cause of slow integration tests in CI.
- Remove the sync branch code as this is already being done in the Git
post-receive hook.
- Add tests to proof the branch models are in sync even with this code
removed.
Backport of https://codeberg.org/forgejo/forgejo/pulls/1962
(cherry picked from commit a064065cb9)
This reverts commit 172fdd0d32.
This code was introduced for a test case that is no longer in use. It
should guard against the provider being null but that's not worth the
effort for deadcode. Just remove it.
Refs: https://codeberg.org/forgejo/forgejo/issues/1984
It shows warnings although the setting is not set, this will surely be
fixed later but there is no sense in spaming the users right now. This
revert can be discarded when another fix lands in v1.21.
su -c "forgejo admin user generate-access-token -u root --raw --scopes 'all,sudo'" git
2023/12/12 15:54:45 .../setting/security.go:166:loadSecurityFrom() [W] Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.
This reverts commit 0e3a5abb69.
Conflicts:
routers/api/v1/api.go
Backport #28390 by @jackHay22
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example:
```
HTTP/1.1 200 OK
...
Warning: token and access_token API authentication is deprecated
...
```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`
## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed
## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)
Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit f144521aea)
Fix #28056
Backport #28361
This PR will check whether the repo has zero branch when pushing a
branch. If that, it means this repository hasn't been synced.
The reason caused that is after user upgrade from v1.20 -> v1.21, he
just push branches without visit the repository user interface. Because
all repositories routers will check whether a branches sync is necessary
but push has not such check.
For every repository, it has two states, synced or not synced. If there
is zero branch for a repository, then it will be assumed as non-sync
state. Otherwise, it's synced state. So if we think it's synced, we just
need to update branch/insert new branch. Otherwise do a full sync. So
that, for every push, there will be almost no extra load added. It's
high performance than yours.
For the implementation, we in fact will try to update the branch first,
if updated success with affect records > 0, then all are done. Because
that means the branch has been in the database. If no record is
affected, that means the branch does not exist in database. So there are
two possibilities. One is this is a new branch, then we just need to
insert the record. Another is the branches haven't been synced, then we
need to sync all the branches into database.
(cherry picked from commit 87db4a47c8)
- Backport #1911
- Currently there's code to recover gracefully from panics that happen
within the execution of cron tasks. However this recover code wasn't
being run, because `RunWithShutdownContext` also contains code to
recover from any panic and then gracefully shutdown Forgejo. Because
`RunWithShutdownContext` registers that code as last, that would get run
first which in this case is not behavior that we want.
- Move the recover code to inside the function, so that is run first
before `RunWithShutdownContext`'s recover code (which is now a noop).
- Resolves #1910
(cherry picked from commit 761e1c83414407b65e331c2eeb4348c47acf0fbb)
Backport #28334 by @lng2020
Fix #28328
```
func (p *PullRequestComment) GetDiffHunk() string {
if p == nil || p.DiffHunk == nil {
return ""
}
return *p.DiffHunk
}
```
This function in the package `go-github` may return an empty diff. When
it's empty, the following code will panic because it access `ss[1]`
ec1feedbf5/services/migrations/gitea_uploader.go (L861-L867)ec1feedbf5/modules/git/diff.go (L97-L101)
Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 8b590de186)
Backport #28325 by @brechtvl
Changing an issue status, assignee, labels or milestone without also
adding a comment would not update the index, resulting in wrong search
results.
Co-authored-by: Brecht Van Lommel <brecht@blender.org>
(cherry picked from commit 8c8c24f8eb)
If the Forgejo factory for the Forgejo service is not registered,
newDownloader will fallback to a git service and not migrate issues
etc.
Refs: https://codeberg.org/forgejo/forgejo/issues/1678
(cherry picked from commit 2ecb2558be696965a49b543d5e843526c105e07a)
Do not include tests so it is kept minimal.
- Backport https://codeberg.org/forgejo/forgejo/pulls/1839
- Consider executable files as a valid case when returning a downloadURL
for them. They are just regular files with the difference being the
executable permission bit being set.
- Not integration testing as it's not possible without adding adjusting
the existing repositories to have a executable file.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1825
(cherry picked from commit ca32891d54)
Closes #1789.
The bug was due to the fact that GitLab does not guarantee that issue numbers are created sequentially: some identifiers can be skipped. Therefore, the new pull requests numbers should not be offset by the number of issues, but by the maximum issue number.
See for instance https://gitlab.com/troyengel/archbuild/-/issues/?sort=created_date&state=all&first_page_size=20, where there is only a singe issue with number "2".
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1790
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
(cherry picked from commit 2c185c39fe)
Closes #1837.
The differences in dates can be explained by commit e19b9653ea, which
changed the order in which "created_date" and "updated_date" are
considered.
backport #28213
This PR will fix some missed checks for private repositories' data on
web routes and API routes.
(cherry picked from commit bc3d8bff73)
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.
(cherry picked from commit eff097448b)
[GITEA] rework long-term authentication (squash) add migration
Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"
(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
(cherry picked from commit d8bc98a8f0)
(cherry picked from commit 6404845df9)
(cherry picked from commit 72bdd4f3b9)
(cherry picked from commit 4b01bb0ce8)
(cherry picked from commit c26ac31816)
- If there's a code comment that's received during the migration that
contains no diffhunk, skip it. This either means it was commenting on
old diffhunk or it's just a general codecomment. Forgejo supports
neither of such type of code comment.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1407
(cherry picked from commit ae463c7c55)
(cherry picked from commit bf48f02a86)
(cherry picked from commit 10c3f102fa)
(cherry picked from commit 828b4cc10c)
(cherry picked from commit 6427fa65b6)
(cherry picked from commit 5b7a43c43f)
(cherry picked from commit 49eb256648)
(cherry picked from commit 0be26ca144)
(cherry picked from commit c083236a58)
(cherry picked from commit 85738bc0a1)
Sends email with information on the new user (time of creation and time of last sign-in) and a link to manage the new user from the admin panel
closes: https://codeberg.org/forgejo/forgejo/issues/480
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1371
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>
Co-committed-by: Aravinth Manivannan <realaravinth@batsense.net>
(cherry picked from commit c721aa828b)
(cherry picked from commit 6487efcb9d)
Conflicts:
modules/notification/base/notifier.go
modules/notification/base/null.go
modules/notification/notification.go
https://codeberg.org/forgejo/forgejo/pulls/1422
(cherry picked from commit 7ea66ee1c5)
Conflicts:
services/notify/notifier.go
services/notify/notify.go
services/notify/null.go
https://codeberg.org/forgejo/forgejo/pulls/1469
(cherry picked from commit 7d2d997011)
(cherry picked from commit 435a54f140)
(cherry picked from commit 8ec7b3e448)
[GITEA] notifies admins on new user registration (squash) performance bottleneck
Refs: https://codeberg.org/forgejo/forgejo/issues/1479
(cherry picked from commit 97ac9147ff)
(cherry picked from commit 19f295c16b)
(cherry picked from commit 3367dcb2cf)
[GITEA] notifies admins on new user registration (squash) cosmetic changes
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 9f1670e040)
(cherry picked from commit de5bb2a224)
(cherry picked from commit 8f8e52f31a)
(cherry picked from commit e0d5130312)
(cherry picked from commit f1288d6d9b)
(cherry picked from commit f664f41658)
(cherry picked from commit e44e6c7e47)
(cherry picked from commit c0d958cc4c)
(cherry picked from commit a88baa5e48)
[GITEA] notifies admins on new user registration (squash) ctx.Locale
(cherry picked from commit 2f6329f693)
As the docs of codeberg refer to the strings printed by the Forgejo
ssh servers, this is user-facing and is nice to update to the new
product name.
(cherry picked from commit 103991d73f)
(cherry picked from commit 2a0d3f85f1)
(cherry picked from commit eb2b4ce388)
(cherry picked from commit 0998b51716)
[BRANDING] forgejo log message
(cherry picked from commit d51a046ebe)
(cherry picked from commit d66e1c7b6e)
(cherry picked from commit b5bffe4ce8)
(cherry picked from commit 3fa776d856)
(cherry picked from commit 18d064f472)
(cherry picked from commit c95094e355)
(cherry picked from commit 5784290bc4)
(cherry picked from commit aee336886b)
(cherry picked from commit ec2f60b516)
(cherry picked from commit 7af742a284)
(cherry picked from commit f279e2a264)
(cherry picked from commit fd38cfb14e)
(cherry picked from commit 64c8226618)
(cherry picked from commit b546fb2304)
(cherry picked from commit ad10202177)
(cherry picked from commit c89cab9c2b)
(cherry picked from commit 9579322ec2)
(cherry picked from commit 16b44ad18d)
(cherry picked from commit 2571ff703b)
(cherry picked from commit ad61d9ce9b)
(cherry picked from commit 9b2c45d4d3)
(cherry picked from commit ed01b79a59)
(cherry picked from commit d040b66427)
(cherry picked from commit ffe0bbea48)
(cherry picked from commit 4c1b2c409b)
(cherry picked from commit 3d8338ed10)
(cherry picked from commit a92f044ea9)
[BRANDING] link to forgejo.org/docs instead of docs.gitea.io
(cherry picked from commit 3efafd0e08)
(cherry picked from commit 148185e34b)
(cherry picked from commit 834e264698)
(cherry picked from commit e72fa6eb1e)
[BRANDING] link to forgejo.org/docs instead of docs.gitea.io
Fix the link that was 404.
(cherry picked from commit ae515d7258)
(cherry picked from commit facc2367f0)
(cherry picked from commit 25784b9f21)
(cherry picked from commit 2efc6138d9)
(cherry picked from commit b9d0871631)
(cherry picked from commit f0446e51b9)
(cherry picked from commit 1638aa67fb)
(cherry picked from commit 290db6a018)
(cherry picked from commit 89b87cf542)
(cherry picked from commit 656ed94962)
(cherry picked from commit 036f879f96)
(cherry picked from commit 69eea35f81)
(cherry picked from commit b72e3f4a92)
(cherry picked from commit af606b8574)
(cherry picked from commit 7e47f8135c)
(cherry picked from commit 0e5218cc53)
(cherry picked from commit 7c2a20a528)
(cherry picked from commit 4e94006363)
(cherry picked from commit e47cdfc43f)
(cherry picked from commit 1dcb3e1da4)
(cherry picked from commit 67367c4e0f)
(cherry picked from commit 252087d1ff)
(cherry picked from commit f5977a43e5)
Conflicts:
templates/base/head_navbar.tmpl
https://codeberg.org/forgejo/forgejo/pulls/1351
(cherry picked from commit 594938eb15)
(cherry picked from commit 0257d038a7)
(cherry picked from commit 72821dd140)
[BRANDING] s/gitea/forgejo/ in HTML placeholders
Replaced Gitea branding with Forgejo for input placeholders
Closes: #686
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/752
(cherry picked from commit 6160d37ca9)
(cherry picked from commit df61138c7e)
(cherry picked from commit 1f30566c3f)
(cherry picked from commit 539bb825f5)
(cherry picked from commit bee0f66c86)
(cherry picked from commit 60ad005c95)
(cherry picked from commit 282e26222e)
(cherry picked from commit f9ca551f3d)
(cherry picked from commit b2e04b04c3)
(cherry picked from commit c8f395a03c)
(cherry picked from commit 0d58ce49ae)
(cherry picked from commit c602ddf91e)
(cherry picked from commit 029e37271e)
(cherry picked from commit fdaa96b3cc)
(cherry picked from commit 515d99e27d)
(cherry picked from commit da73274ba1)
(cherry picked from commit ce90b696a0)
(cherry picked from commit b6bf98763b)
(cherry picked from commit 5b380d22d7)
[BRANDING] How to start a runner: URL to Actions admin documentation
(cherry picked from commit da91799e6f)
(cherry picked from commit 28231663b6)
(cherry picked from commit 533a90345b)
(cherry picked from commit 6a0e4e55dd)
(cherry picked from commit f47cd611c6)
(cherry picked from commit 001264b784)
(cherry picked from commit e4099e9bb9)
(cherry picked from commit 3a1885649f)
(cherry picked from commit c42802c710)
(cherry picked from commit a611ce8d6d)
(cherry picked from commit a3d7d10a80)
(cherry picked from commit 52adde671f)
(cherry picked from commit c9a3820fef)
(cherry picked from commit dce40997c9)
(cherry picked from commit 312a6b92f3)
[BRANDING] package templates & links
- Change Gitea to Forgejo where necessary.
- Point all documentation to Forgejo's documentation.
- Resolves #992
(cherry picked from commit d0b78a6ede)
(cherry picked from commit e2382f30ba)
(cherry picked from commit c41cf05a33)
(cherry picked from commit 797e598ae7)
(cherry picked from commit 970031a1c2)
(cherry picked from commit 0c1180e2e1)
Conflicts:
templates/package/content/alpine.tmpl
templates/package/content/cargo.tmpl
templates/package/content/chef.tmpl
templates/package/content/composer.tmpl
templates/package/content/conan.tmpl
templates/package/content/conda.tmpl
templates/package/content/container.tmpl
templates/package/content/cran.tmpl
templates/package/content/debian.tmpl
templates/package/content/generic.tmpl
templates/package/content/go.tmpl
templates/package/content/helm.tmpl
templates/package/content/maven.tmpl
templates/package/content/npm.tmpl
templates/package/content/nuget.tmpl
templates/package/content/pub.tmpl
templates/package/content/pypi.tmpl
templates/package/content/rpm.tmpl
templates/package/content/rubygems.tmpl
templates/package/content/swift.tmpl
templates/package/content/vagrant.tmpl
https://codeberg.org/forgejo/forgejo/pulls/1351
(cherry picked from commit 42ac9ff2ab)
(cherry picked from commit e390000bce)
(cherry picked from commit 56a437b29b)
Conflicts:
templates/package/content/cargo.tmpl
https://codeberg.org/forgejo/forgejo/pulls/1466
[BRANDING] s/Gitea/Forgejo/ in user visible help & comments
- Modify the README of the docker directory to point to the relevant
docker files and documentation for Forgejo.
(cherry picked from commit aca6371215)
(cherry picked from commit 0ba96b1bc4)
(cherry picked from commit 5c8e6b53f1)
Conflicts:
docker/README.md
https://codeberg.org/forgejo/forgejo/pulls/1351
(cherry picked from commit b3121c8004)
(cherry picked from commit 607f870416)
(cherry picked from commit 191d96afe4)
[BRANDING] healthcheck/check.go
(cherry picked from commit d703a236ce)
(cherry picked from commit d84ce3ff20)
(cherry picked from commit 2dbb844606)
(cherry picked from commit 14d3ae7e3a)
[BRANDING] s/Gitea/Forgejo/g in CLI output
(cherry picked from commit 7543c126bb)
(cherry picked from commit b66f422fc3)
(cherry picked from commit a81e4e46f3)
[BRANDING] Gitea->Forgejo in mailer code
(cherry picked from commit b91afea4ff)
(cherry picked from commit 5d7428167c)
(cherry picked from commit ed8101ba6c)
[BRANDING] use 'Forgejo' for Discord, Packagist, and Slack webhooks
Refs: https://codeberg.org/forgejo/forgejo/issues/1387
(cherry picked from commit 7dc3a05f5b)
(cherry picked from commit 133f2fc6cc)
[BRANDING] cmd/manager.go
(cherry picked from commit d1dba2c79d)
[BRANDING] pyproject.toml
(cherry picked from commit 7e8c868db2)
(cherry picked from commit 2395995c8b)
(cherry picked from commit dd6fbbf332)
Conflicts:
templates/package/content/cargo.tmpl
https://codeberg.org/forgejo/forgejo/pulls/1548
(cherry picked from commit 6f9a5d5cab)
(cherry picked from commit d0635c4a07)
(cherry picked from commit 5d3b4594df)
(cherry picked from commit 6da3b43eff)
(cherry picked from commit b60dfaba10)
(cherry picked from commit bcb9bb4dee)
(cherry picked from commit d5301b6a24)
- Add the ability to block a user via their profile page.
- This will unstar their repositories and visa versa.
- Blocked users cannot create issues or pull requests on your the doer's repositories (mind that this is not the case for organizations).
- Blocked users cannot comment on the doer's opened issues or pull requests.
- Blocked users cannot add reactions to doer's comments.
- Blocked users cannot cause a notification trough mentioning the doer.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/540
(cherry picked from commit 687d852480)
(cherry picked from commit 0c32a4fde5)
(cherry picked from commit 1791130e3c)
(cherry picked from commit 37858b7e8f)
(cherry picked from commit a3e2bfd7e9)
(cherry picked from commit 7009b9fe87)
Conflicts: https://codeberg.org/forgejo/forgejo/pulls/1014
routers/web/user/profile.go
templates/user/profile.tmpl
(cherry picked from commit b2aec34791)
(cherry picked from commit e2f1b73752)
[MODERATION] organization blocking a user (#802)
- Resolves #476
- Follow up for: #540
- Ensure that the doer and blocked person cannot follow each other.
- Ensure that the block person cannot watch doer's repositories.
- Add unblock button to the blocked user list.
- Add blocked since information to the blocked user list.
- Add extra testing to moderation code.
- Blocked user will unwatch doer's owned repository upon blocking.
- Add flash messages to let the user know the block/unblock action was successful.
- Add "You haven't blocked any users" message.
- Add organization blocking a user.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/802
(cherry picked from commit 0505a10421)
(cherry picked from commit 37b4e6ef9b)
(cherry picked from commit c17c121f2c)
[MODERATION] organization blocking a user (#802) (squash)
Changes to adapt to:
6bbccdd177 Improve AJAX link and modal confirm dialog (#25210)
Refs: https://codeberg.org/forgejo/forgejo/pulls/882/files#issuecomment-945962
Refs: https://codeberg.org/forgejo/forgejo/pulls/882#issue-330561
(cherry picked from commit 523635f83c)
(cherry picked from commit 4743eaa6a0)
(cherry picked from commit eff5b43d2e)
Conflicts: https://codeberg.org/forgejo/forgejo/pulls/1014
routers/web/user/profile.go
(cherry picked from commit 9d359be5ed)
(cherry picked from commit b1f3069a22)
[MODERATION] add user blocking API
- Follow up for: #540, #802
- Add API routes for user blocking from user and organization
perspective.
- The new routes have integration testing.
- The new model functions have unit tests.
- Actually quite boring to write and to read this pull request.
(cherry picked from commit f3afaf15c7)
(cherry picked from commit 6d754db3e5)
(cherry picked from commit 2a89ddc0ac)
(cherry picked from commit 4a147bff7e)
Conflicts:
routers/api/v1/api.go
templates/swagger/v1_json.tmpl
(cherry picked from commit bb8c339185)
(cherry picked from commit 5a11569a01)
(cherry picked from commit 2373c801ee)
[MODERATION] restore redirect on unblock
ctx.RedirectToFirst(ctx.FormString("redirect_to"), ctx.ContextUser.HomeLink())
was replaced by
ctx.JSONOK()
in 128d77a3a Following up fixes for "Fix inconsistent user profile layout across tabs" (#25739)
thus changing the behavior (nicely spotted by the tests). This
restores it.
(cherry picked from commit 597c243707)
(cherry picked from commit cfa539e590)
[MODERATION] Add test case (squash)
- Add an test case, to test an property of the function.
(cherry picked from commit 70dadb1916)
[MODERATION] Block adding collaborators
- Ensure that the doer and blocked user cannot add each other as
collaborators to repositories.
- The Web UI gets an detailed message of the specific situation, the API
gets an generic Forbidden code.
- Unit tests has been added.
- Integration testing for Web and API has been added.
- This commit doesn't introduce removing each other as collaborators on
the block action, due to the complexity of database calls that needs to
be figured out. That deserves its own commit and test code.
(cherry picked from commit 747be949a1)
[MODERATION] move locale_en-US.ini strings to avoid conflicts
Conflicts:
web_src/css/org.css
web_src/css/user.css
https://codeberg.org/forgejo/forgejo/pulls/1180
(cherry picked from commit e53f955c88)
Conflicts:
services/issue/comments.go
https://codeberg.org/forgejo/forgejo/pulls/1212
(cherry picked from commit b4a454b576)
Conflicts:
models/forgejo_migrations/migrate.go
options/locale/locale_en-US.ini
services/pull/pull.go
https://codeberg.org/forgejo/forgejo/pulls/1264
[MODERATION] Remove blocked user collaborations with doer
- When the doer blocks an user, who is also an collaborator on an
repository that the doer owns, remove that collaboration.
- Added unit tests.
- Refactor the unit test to be more organized.
(cherry picked from commit ec87016178)
(cherry picked from commit 313e6174d8)
[MODERATION] QoL improvements (squash)
- Ensure that organisations cannot be blocked. It currently has no
effect, as all blocked operations cannot be executed from an
organisation standpoint.
- Refactored the API route to make use of the `UserAssignmentAPI`
middleware.
- Make more use of `t.Run` so that the test code is more clear about
which block of code belongs to which test case.
- Added more integration testing (to ensure the organisations cannot be
blocked and some authorization/permission checks).
(cherry picked from commit e9d638d075)
[MODERATION] s/{{avatar/{{ctx.AvatarUtils.Avatar/
(cherry picked from commit ce8b30be13)
(cherry picked from commit f911dc4025)
Conflicts:
options/locale/locale_en-US.ini
https://codeberg.org/forgejo/forgejo/pulls/1354
(cherry picked from commit c1b37b7fda)
(cherry picked from commit 856a2e0903)
[MODERATION] Show graceful error on comment creation
- When someone is blocked by the repository owner or issue poster and
try to comment on that issue, they get shown a graceful error.
- Adds integration test.
(cherry picked from commit 490646302e)
(cherry picked from commit d3d88667cb)
(cherry picked from commit 6818de13a9)
[MODERATION] Show graceful error on comment creation (squash) typo
(cherry picked from commit 1588d4834a)
(cherry picked from commit d510ea52d0)
(cherry picked from commit 8249e93a14)
[MODERATION] Refactor integration testing (squash)
- Motivation for this PR is that I'd noticed that a lot of repeated
calls are happening between the test functions and that certain tests
weren't using helper functions like `GetCSRF`, therefor this refactor of
the integration tests to keep it: clean, small and hopefully more
maintainable and understandable.
- There are now three integration tests: `TestBlockUser`,
`TestBlockUserFromOrganization` and `TestBlockActions` (and has been
moved in that order in the source code).
- `TestBlockUser` is for doing blocking related actions as an user and
`TestBlockUserFromOrganization` as an organisation, even though they
execute the same kind of tests they do not share any database calls or
logic and therefor it currently doesn't make sense to merge them
together (hopefully such oppurtinutiy might be presented in the future).
- `TestBlockActions` now contain all tests for actions that should be
blocked after blocking has happened, most tests now share the same doer
and blocked users and a extra fixture has been added to make this
possible for the comment test.
- Less code, more comments and more re-use between tests.
(cherry picked from commit ffb393213d)
(cherry picked from commit 85505e0f81)
(cherry picked from commit 0f3cf17761)
[MODERATION] Fix network error (squash)
- Fix network error toast messages on user actions such as follow and
unfollow. This happened because the javascript code now expects an JSON
to be returned, but this wasn't the case due to
cfa539e590127b4953b010fba3dea21c82a1714.
- The integration testing has been adjusted to instead test for the
returned flash cookie.
(cherry picked from commit 112bc25e54)
(cherry picked from commit 1194fe4899)
(cherry picked from commit 9abb95a844)
[MODERATION] Modernize frontend (squash)
- Unify blocked users list.
- Use the new flex list classes for blocked users list to avoid using
the CSS helper classes and thereby be consistent in the design.
- Fix the modal by using the new modal class.
- Remove the icon in the modal as looks too big in the new design.
- Fix avatar not displaying as it was passing the context where the user
should've been passed.
- Don't use italics for 'Blocked since' text.
- Use namelink template to display the user's name and homelink.
(cherry picked from commit ec935a16a3)
(cherry picked from commit 67f37c8346)
Conflicts:
models/user/follow.go
models/user/user_test.go
routers/api/v1/user/follower.go
routers/web/shared/user/header.go
routers/web/user/profile.go
templates/swagger/v1_json.tmpl
https://codeberg.org/forgejo/forgejo/pulls/1468
(cherry picked from commit 6a9626839c)
Conflicts:
tests/integration/api_nodeinfo_test.go
https://codeberg.org/forgejo/forgejo/pulls/1508#issuecomment-1242385
(cherry picked from commit 7378b251b4)
Conflicts:
models/fixtures/watch.yml
models/issues/reaction.go
models/issues/reaction_test.go
routers/api/v1/repo/issue_reaction.go
routers/web/repo/issue.go
services/issue/issue.go
https://codeberg.org/forgejo/forgejo/pulls/1547
(cherry picked from commit c2028930c1)
(cherry picked from commit d3f9134aee)
(cherry picked from commit 7afe154c5c)
(cherry picked from commit e6839caa4e)
(cherry picked from commit f546c95c29)
(cherry picked from commit 839aa964a0)
Conflicts:
services/user/delete.go
https://codeberg.org/forgejo/forgejo/pulls/1731
[MODERATION] Add repo transfers to blocked functionality (squash)
- When someone gets blocked, remove all pending repository transfers
from the blocked user to the doer.
- Do not allow to start transferring repositories to the doer as blocked user.
- Added unit testing.
- Added integration testing.
(cherry picked from commit 8a3caac330)
(cherry picked from commit a92b4cfeb6)
(cherry picked from commit acaaaf07d9)
(cherry picked from commit 735818863c)
(cherry picked from commit f50fa43b32)
(cherry picked from commit e166836433)
(cherry picked from commit e0187b21fe)
(cherry picked from commit 697a492686)
(cherry picked from commit beb4a8a452)
[MODERATION] Fix unblock action (squash)
- Pass the whole context instead of only giving pieces.
- This fixes CSRF not correctly being inserted into the unblock buttons.
(cherry picked from commit 2aa51922ba)
(cherry picked from commit 7ee8db0f01)
(cherry picked from commit e4f8b999bc)
(cherry picked from commit 05aea60b13)
(cherry picked from commit dc0d61b012)
(cherry picked from commit f53fa583de)
(cherry picked from commit f3d129247e)
(cherry picked from commit 2369d918b4)
(cherry picked from commit 609f56d4f2)
[MODERATION] cope with shared fixtures
* There is one more issue in the fixtures and this breaks some tests
* The users in the shared fixtures were renamed for clarity and that
breaks some tests
(cherry picked from commit 707a4edbdf)
Conflicts:
modules/indexer/issues/indexer_test.go
https://codeberg.org/forgejo/forgejo/pulls/1508
(cherry picked from commit 82cc044366)
(cherry picked from commit 2776aec7e8)
(cherry picked from commit 1fbde36dc7)
(cherry picked from commit 1293db3c4e)
(cherry picked from commit 6dbce742d3)
(cherry picked from commit 652ad8f0f7)
(cherry picked from commit 6ad40a59dc)
[MODERATION] Fix transfer confirmation (squash)
- Fix problem caused by the clearer confirmation for dangerous actions commit.
(cherry picked from commit 3488f4a9cb)
(cherry picked from commit ed7de91f6a)
(cherry picked from commit 2d97929b9b)
(cherry picked from commit 50d035a7b0)
(cherry picked from commit 0a0c07d78a)
(cherry picked from commit 79009609e3)
(cherry picked from commit b576f3cda3)
(cherry picked from commit c5969abfb4)
[MODERATION] Purge issues on user deletion (squash)
(cherry picked from commit 4f529d9596)
(cherry picked from commit f0e3acadd3)
(cherry picked from commit 682c4effe6)
(cherry picked from commit eb99857433)
(cherry picked from commit 9af6e03aab)
(cherry picked from commit ad3ad4baec)
[MODERATION] Purge issues on user deletion (squash) revert shared fixtures workarounds
(cherry picked from commit 7224653a40)
(cherry picked from commit aa6e8672f9)
(cherry picked from commit 58c7947e95)
(cherry picked from commit 149f6b3533)
(cherry picked from commit 65e65e04f3)
(cherry picked from commit 57428561b5)
(cherry picked from commit 94b6046c52)
- Forgejo has the option to delete users, in which all data except
issues and comments are removed, this makes sense in some cases where
users need to be removed cleanly but without removing their existing bug
reports or comments to an discussion. In the case of spammers, admins
have the option to enable purging, where comments are removed.
- Add issues to the list of things to be removed if purge is checked.
- No unit testing, as this gigantic function doesn't have one to begin
with.
- Add integration test.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1268
(cherry picked from commit 3ed381c758)
(cherry picked from commit 44d00650ce)
(cherry picked from commit 7f4da82779)
(cherry picked from commit d629314def)
Conflicts:
models/fixtures/issue.yml
https://codeberg.org/forgejo/forgejo/pulls/1508
(cherry picked from commit 794dcc218f)
(cherry picked from commit c433f2ecb6)
(cherry picked from commit bb23683f4b)
(cherry picked from commit 634c5604d4)
(cherry picked from commit 492ff6379a)
(cherry picked from commit 496b04f8e7)
(cherry picked from commit 3c6e5fca84)
(cherry picked from commit b309d0b549)
- Use TXT records in order to determine the latest available version.
- This addresses a valid privacy issue, as with HTTP requests the server
can keep track(estimated) of how many instances are using Forgejo, with
DNS that's basically not possible as the server will never receive any
data, as the only ones receiving data are DNS resolvers.
(cherry picked from commit 0baefb546a)
(cherry picked from commit e8ee41880b)
(cherry picked from commit 7eca4f3bf1)
(cherry picked from commit 6dde3992dc)
(cherry picked from commit fb3a37fbfc)
(cherry picked from commit 8304af1e9d)
(cherry picked from commit 0543a7d12a)
(cherry picked from commit c3a22933b7)
(cherry picked from commit e243707694)
(cherry picked from commit 7eb6d1bcf7)
(cherry picked from commit 1d7b9535cd)
(cherry picked from commit 05920dce67)
(cherry picked from commit f173f27d7c)
(cherry picked from commit 90e1c9340e)
(cherry picked from commit de68610ea7)
(cherry picked from commit 8d5757ea04)
(cherry picked from commit c7a7fff316)
(cherry picked from commit 39ac8b8fc1)
(cherry picked from commit 9889203301)
[PRIVACY]: Adjust update checker description
- Resolves #323
- Adjust the description of the update check function on the
installation page to describe the privacy method instead of the HTTP
method by checking gitea.io
(cherry picked from commit 61eae5b105)
(cherry picked from commit 091def20a1)
(cherry picked from commit d5d11bf45a)
(cherry picked from commit 71863d4707)
(cherry picked from commit 11ece4aab1)
(cherry picked from commit afdd7e714f)
(cherry picked from commit 39170e2f1d)
(cherry picked from commit 4b3a52aab8)
(cherry picked from commit 9d763c5fc8)
(cherry picked from commit 638db15482)
(cherry picked from commit a52bfdd8e7)
(cherry picked from commit dc93d00e85)
(cherry picked from commit 0bc4b3508c)
(cherry picked from commit 59e524d58644720258bcabe9037cfc072e8f1250)
(cherry picked from commit 329ab6e934)
(cherry picked from commit 44996655e9)
(cherry picked from commit 2e0e12bb19)
(cherry picked from commit d0e780d6d7)
(cherry picked from commit de394c7c50)
(cherry picked from commit 3c26d0fd87)
(cherry picked from commit 560424a23a)
- This is being disabled as it will weekly connect to a domain.
- This only affects existing installations, as new installations will
have a explicit value being written into app.ini due to https://github.com/go-gitea/gitea/pull/21655
(cherry picked from commit cd0b8b6852)
(cherry picked from commit 58d43867ca)
(cherry picked from commit f290b91e50)
(cherry picked from commit 5bd6d75554)
(cherry picked from commit e5d0abb592)
(cherry picked from commit 4b381ce77e)
(cherry picked from commit b6a9b1390d)
(cherry picked from commit 3674362871)
(cherry picked from commit af0f606fc1)
(cherry picked from commit 49560da6fb)
(cherry picked from commit ca06e27c5b)
(cherry picked from commit 163df86df5)
(cherry picked from commit 0391c6ae42)
(cherry picked from commit f282f2d42f)
(cherry picked from commit 68d31cf247)
(cherry picked from commit cfd4a479e9)
(cherry picked from commit add969bdf6)
(cherry picked from commit c0f3f1f1e7)
(cherry picked from commit f11dca9090)
(cherry picked from commit 283810387f)
(cherry picked from commit 08af1f0ea8)
(cherry picked from commit 1c1a6da319)
(cherry picked from commit c1444bae65)
(cherry picked from commit 6361df634b)
(cherry picked from commit cc8bb3f946)
(cherry picked from commit c7ae4411fd)
(cherry picked from commit f73f4eef02)
(cherry picked from commit 2122896e85)
(cherry picked from commit d469c99671)
(cherry picked from commit 41dbbd731e)
(cherry picked from commit e8e742b437)
(cherry picked from commit 0fa9f87b5f)
(cherry picked from commit 870645b963)
(cherry picked from commit 532a5860eb)
(cherry picked from commit 275c671d5f)
(cherry picked from commit 2cec78e493)
(cherry picked from commit 10ab0befd7)
(cherry picked from commit a0a0c0adaf)
(cherry picked from commit 9f0a37e405)
This field adds the possibility to set the update date when modifying
an issue through the API.
A 'NoAutoDate' in-memory field is added in the Issue struct.
If the update_at field is set, NoAutoDate is set to true and the
Issue's UpdatedUnix field is filled.
That information is passed down to the functions that actually updates
the database, which have been modified to not auto update dates if
requested.
A guard is added to the 'EditIssue' API call, to checks that the
udpate_at date is between the issue's creation date and the current
date (to avoid 'malicious' changes). It also limits the new feature
to project's owners and admins.
(cherry picked from commit c524d33402)
Add a SetIssueUpdateDate() function in services/issue.go
That function is used by some API calls to set the NoAutoDate and
UpdatedUnix fields of an Issue if an updated_at date is provided.
(cherry picked from commit f061caa655)
Add an updated_at field to the API calls related to Issue's Labels.
The update date is applied to the issue's comment created to inform
about the modification of the issue's labels.
(cherry picked from commit ea36cf80f5)
Add an updated_at field to the API call for issue's attachment creation
The update date is applied to the issue's comment created to inform
about the modification of the issue's content, and is set as the
asset creation date.
(cherry picked from commit 96150971ca)
Checking Issue changes, with and without providing an updated_at date
Those unit tests are added:
- TestAPIEditIssueWithAutoDate
- TestAPIEditIssueWithNoAutoDate
- TestAPIAddIssueLabelsWithAutoDate
- TestAPIAddIssueLabelsWithNoAutoDate
- TestAPICreateIssueAttachmentWithAutoDate
- TestAPICreateIssueAttachmentWithNoAutoDate
(cherry picked from commit 4926a5d7a2)
Add an updated_at field to the API call for issue's comment creation
The update date is used as the comment creation date, and is applied to
the issue as the update creation date.
(cherry picked from commit 76c8faecdc)
Add an updated_at field to the API call for issue's comment edition
The update date is used as the comment update date, and is applied to
the issue as an update date.
(cherry picked from commit cf787ad7fd)
Add an updated_at field to the API call for comment's attachment creation
The update date is applied to the comment, and is set as the asset
creation date.
(cherry picked from commit 1e4ff424d3)
Checking Comment changes, with and without providing an updated_at date
Those unit tests are added:
- TestAPICreateCommentWithAutoDate
- TestAPICreateCommentWithNoAutoDate
- TestAPIEditCommentWithAutoDate
- TestAPIEditCommentWithNoAutoDate
- TestAPICreateCommentAttachmentWithAutoDate
- TestAPICreateCommentAttachmentWithNoAutoDate
(cherry picked from commit da932152f1)
Pettier code to set the update time of comments
Now uses sess.AllCols().NoAutoToime().SetExpr("updated_unix", ...)
XORM is smart enough to compose one single SQL UPDATE which all
columns + updated_unix.
(cherry picked from commit 1f6a42808d)
Issue edition: Keep the max of the milestone and issue update dates.
When editing an issue via the API, an updated_at date can be provided.
If the EditIssue call changes the issue's milestone, the milestone's
update date is to be changed accordingly, but only with a greater
value.
This ensures that a milestone's update date is the max of all issue's
update dates.
(cherry picked from commit 8f22ea182e)
Rewrite the 'AutoDate' tests using subtests
Also add a test to check the permissions to set a date, and a test
to check update dates on milestones.
The tests related to 'AutoDate' are:
- TestAPIEditIssueAutoDate
- TestAPIAddIssueLabelsAutoDate
- TestAPIEditIssueMilestoneAutoDate
- TestAPICreateIssueAttachmentAutoDate
- TestAPICreateCommentAutoDate
- TestAPIEditCommentWithDate
- TestAPICreateCommentAttachmentAutoDate
(cherry picked from commit 961fd13c55)
(cherry picked from commit d52f4eea44)
(cherry picked from commit 3540ea2a43)
Conflicts:
services/issue/issue.go
https://codeberg.org/forgejo/forgejo/pulls/1415
(cherry picked from commit 56720ade00)
Conflicts:
routers/api/v1/repo/issue_label.go
https://codeberg.org/forgejo/forgejo/pulls/1462
(cherry picked from commit 47c78927d6)
(cherry picked from commit 2030f3b965)
(cherry picked from commit f02aeb7698)
(cherry picked from commit 2e43e49961)
(cherry picked from commit 3bfb6cc1c0)
(cherry picked from commit 38918d5f5c)
(cherry picked from commit 174f6ac345)
(cherry picked from commit 08a2bed45d)
Backport #27915 by @KN4CK3R
Fixes #27819
We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Backport #27902 by @earl-warren
- On user deletion, delete action runners that the user has created.
- Add a database consistency check to remove action runners that have
nonexistent belonging owner.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1720
(cherry picked from commit 009ca7223d)
Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Backport #27887 by @Zettat123
We should not use `asset.ID` in DownloadFunc because DownloadFunc is a
closure.
1bf5527eac/services/migrations/gitea_downloader.go (L284-L295)
A similar bug when migrating from GitHub has been fixed in #14703. This
PR fixes the bug when migrating from Gitea and GitLab.
Co-authored-by: Zettat123 <zettat123@gmail.com>
Backport #27856
The only conflict is `ThemeName` in `500.tmpl`, it has been resolved
manually by keeping using old
`{{.SignedUser.Theme}}{{else}}{{DefaultTheme}}`
Backport #27787 by @KN4CK3R
Add missing `.Close()` calls. The current code does not delete the
temporary files if the data grows over 32mb.
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Backport #27266 by @merlleu
Hello there,
Cargo Index over HTTP is now prefered over git for package updates: we
should not force users who do not need the GIT repo to have the repo
created/updated on each publish (it can still be created in the packages
settings).
The current behavior when publishing is to check if the repo exist and
create it on the fly if not, then update it's content.
Cargo HTTP Index does not rely on the repo itself so this will be
useless for everyone not using the git protocol for cargo registry.
This PR only disable the creation on the fly of the repo when publishing
a crate.
This is linked to #26844 (error 500 when trying to publish a crate if
user is missing write access to the repo) because it's now optional.
Co-authored-by: merlleu <r.langdorph@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Backport #27655 by @wolfogre
When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.
But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.
This PR fixes it by:
- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.
Co-authored-by: Jason Song <i@wolfogre.com>