mirror of
1
Fork 0
Commit Graph

19230 Commits

Author SHA1 Message Date
Archer 1b088fade6
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
2024-05-05 12:15:40 +01:00
Kemal Zebari 9cd0441cd3
Catch and handle unallowed file type errors in issue attachment API (#30791)
Before, we would just throw 500 if a user passes an attachment that is
not an allowed type. This commit catches this error and throws a 422
instead since this should be considered a validation error.

(cherry picked from commit 872caa17c0a30d95f85ab75c068d606e07bd10b3)

Conflicts:
	tests/integration/api_comment_attachment_test.go
	tests/integration/api_issue_attachment_test.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
2024-05-05 12:15:40 +01:00
silverwind 396f16e7b2
Add hover outline to heatmap squares (#30828)
Makes it easier to use because you see which square is currently
hovered:

<img width="314" alt="Screenshot 2024-05-02 at 15 38 20"
src="https://github.com/go-gitea/gitea/assets/115237/3a15dad1-2259-4f28-9fae-5cf6ad3d8798">

I did try a `scoped` style for this, but that did not work for some
reason.

(cherry picked from commit 6f89d5e3a0886d02ead732005f593ae003f78f78)
2024-05-05 12:15:40 +01:00
silverwind fb693442f5
Remove external API calls in `TestPassword` (#30716)
The test had a dependency on `https://api.pwnedpasswords.com` which
caused many failures on CI recently:

```
--- FAIL: TestPassword (2.37s)
    pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
FAIL
coverage: 82.9% of statements
```

(cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d)
2024-05-05 12:15:40 +01:00
wxiaoguang ee97bb17ba
Fix issue card layout (#30800)
Fix #30788

(cherry picked from commit 6ff2acc52c976e9d7bb6a5693f8a2365d12400f5)
2024-05-05 12:15:40 +01:00
wxiaoguang 4e35e5b8ae
Skip gzip for some well-known compressed file types (#30796)
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit be112c1fc30f87a248b30f48e891d1c8c18e8280)

Conflicts:
	routers/web/web.go
	trivial conflict because of https://codeberg.org/forgejo/forgejo/pulls/1533
2024-05-05 12:15:40 +01:00
Kemal Zebari f0e466420a
Don't have `redis-cluster` as possible cache/session adapter in docs (#30794)
This is because it doesn't exist as an adapter. The `redis` adapter
already handles Redis cluster configurations.

Fixes #30534.

(cherry picked from commit f135cb7c9457f7b9bdc43601f44757834573950f)

Conflicts:
	docs/content/administration/config-cheat-sheet.en-us.md
	does not exist in Forgejo
2024-05-05 12:15:40 +01:00
Chester 1a40fe54a6
Add API endpoints for getting action jobs status (#26673)
Sample of response, it is similar to Github actions

ref
https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#list-workflow-runs-for-a-repository

``` json
{
    "workflow_runs": [
        {
            "id": 3,
            "name": "Explore-Gitea-Actions",
            "head_branch": "main",
            "head_sha": "6d8d29a9f7a01ded8f8aeb64341cb31ee1ab5f19",
            "run_number": 3,
            "event": "push",
            "display_title": "More job",
            "status": "success",
            "workflow_id": "demo2.yaml",
            "url": "/chester/test/actions/runs/3",
            "created_at": "2023-08-22T13:41:33-04:00",
            "updated_at": "2023-08-22T13:41:37-04:00",
            "run_started_at": "2023-08-22T13:41:33-04:00"
        },
        {
            "id": 2,
            "name": "Explore-Gitea-Actions",
            "head_branch": "main",
            "head_sha": "6d8d29a9f7a01ded8f8aeb64341cb31ee1ab5f19",
            "run_number": 2,
            "event": "push",
            "display_title": "More job",
            "status": "success",
            "workflow_id": "demo.yaml",
            "url": "/chester/test/actions/runs/2",
            "created_at": "2023-08-22T13:41:30-04:00",
            "updated_at": "2023-08-22T13:41:33-04:00",
            "run_started_at": "2023-08-22T13:41:30-04:00"
        },
        {
            "id": 1,
            "name": "Explore-Gitea-Actions",
            "head_branch": "main",
            "head_sha": "e5369ab054cae79899ba36e45ee82811a6e0acd5",
            "run_number": 1,
            "event": "push",
            "display_title": "Add job",
            "status": "failure",
            "workflow_id": "demo.yaml",
            "url": "/chester/test/actions/runs/1",
            "created_at": "2023-08-22T13:15:21-04:00",
            "updated_at": "2023-08-22T13:18:10-04:00",
            "run_started_at": "2023-08-22T13:15:21-04:00"
        }
    ],
    "total_count": 3
}
```

---------

Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: puni9869 <80308335+puni9869@users.noreply.github.com>
(cherry picked from commit 6709e28da78a0ea7e63f9fe4e32f620abdc88d14)

Conflicts:
	routers/api/v1/swagger/repo.go
	trivial context conflict
2024-05-05 12:15:40 +01:00
silverwind 9792a377e4
Fix tautological conditions (#30735)
As discovered by https://github.com/go-gitea/gitea/pull/30729.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 610802df85933e7a190a705bc3f7800da87ce868)

Conflicts:
	tests/integration/git_test.go
	trivial conflict because of https://codeberg.org/forgejo/forgejo/pulls/2834
2024-05-05 08:59:40 +01:00
6543 51b8d964c8
Get repo assignees and reviewers should ignore deactivated users (#30770) (#30782)
Backport  #30770

If an user is deactivated, it should not be in the list of users who are
suggested to be assigned or review-requested.

old assignees or reviewers are not affected.

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit f2d8ccc5bb2df25557cc0d4d23f2cdd029358274)

Conflicts:
	models/repo/user_repo_test.go
	because there is one less fixture user compared to Gitea
2024-05-05 08:53:27 +01:00
Zettat123 60e5825579
Fix duplicate status check contexts (#30660)
Caused by #30076.

There may be some duplicate status check contexts when setting status
checks for a branch protection rule. The duplicate contexts should be
removed.

Before:
<img
src="https://github.com/go-gitea/gitea/assets/15528715/97f4de2d-4868-47a3-8a99-5a180f9ac0a3"
width="600px" />

After:
<img
src="https://github.com/go-gitea/gitea/assets/15528715/ff7289c5-9793-4090-ba31-e8cb3c85f8a3"
width="600px" />

(cherry picked from commit 7ad50313284db7eec565ad1750108de1444c5a84)
2024-05-05 08:48:45 +01:00
Chongyi Zheng c504461b66
Resolve lint for unused parameter and unnecessary type arguments (#30750)
Resolve all cases for `unused parameter` and `unnecessary type
arguments`

Related: #30729

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit e80466f7349164ce4cf3c07bdac30d736d20f035)

Conflicts:
	modules/markup/markdown/transform_codespan.go
	modules/setting/incoming_email.go
	routers/api/v1/admin/user_badge.go
	routers/private/hook_pre_receive.go
	tests/integration/repo_search_test.go
	resolved by discarding the change, this is linting only and
	for the sake of avoiding future conflicts
2024-05-05 08:38:16 +01:00
Micash b8e7b3941a
Add support for npm bundleDependencies (#30751)
(cherry picked from commit ad4e902d5a1430c0c1df18bf404537df5ded1dba)
2024-05-05 08:24:01 +01:00
Sergey Zolotarev 96fd8008cd
Fix cross-compilation errors when CGO_CFLAGS/CGO_LDFLAGS is set (#30749)
When you cross-compile Gitea and you specify one of the envrionment
variables related to C flags, cgo will fail to build the generator
programs (e.g. generate-bindata) because GOOS and GOARCH are unset, but
those additional flags variables are not unset together with those.

To solve this issue, the simplest way that I've found is to disable cgo
in the `go generate` command as it's not really used there.

For example, I've had this problem with cross-compiling Gitea on FreeBSD
x86_64 to ARMv7 where it's necessary to pass `--target` to `clang` via
`CGO_CFLAGS`:
```
GOOS=freebsd \
GOARCH=arm \
GGOARM=7 \
CGO_ENABLED=1 \
SYSROOT=/usr/local/freebsd-sysroot/armv7 \
CC=clang \
CGO_CFLAGS="--target=armv7-unknown-freebsd13.2-gnueabihf" \
TAGS="bindata sqlite sqlite_unlock_notify" \
make SHELL='sh -x' build
```

```
Running go generate...
# runtime/cgo
In file included from gcc_freebsd_amd64.c:9:
In file included from /usr/include/signal.h:42:
/usr/include/sys/_ucontext.h:44:2: error: unknown type name 'mcontext_t'
modules/migration/schemas_bindata.go:8: running "go": exit status 1
# runtime/cgo
In file included from gcc_freebsd_amd64.c:9:
In file included from /usr/include/signal.h:42:
/usr/include/sys/_ucontext.h:44:2: error: unknown type name 'mcontext_t'
modules/options/options_bindata.go:8: running "go": exit status 1
# runtime/cgo
In file included from gcc_freebsd_amd64.c:9:
In file included from /usr/include/signal.h:42:
/usr/include/sys/_ucontext.h:44:2: error: unknown type name 'mcontext_t'
modules/public/public_bindata.go:8: running "go": exit status 1
# runtime/cgo
In file included from gcc_freebsd_amd64.c:9:
In file included from /usr/include/signal.h:42:
/usr/include/sys/_ucontext.h:44:2: error: unknown type name 'mcontext_t'
modules/templates/templates_bindata.go:8: running "go": exit status 1
gmake[1]: *** [Makefile:781: generate-go] Error 1
*** Error code 2

Stop.
```

But with this fix Gitea compiles successfully.

(cherry picked from commit d11133b83652238023b52576e0d3e57a4f4b21c9)
2024-05-05 08:23:25 +01:00
GiteaBot 6a4dfc5ba4
[skip ci] Updated licenses and gitignores
(cherry picked from commit e67141756d058045cf64a441255a2042425eda3b)
2024-05-05 08:23:06 +01:00
silverwind 60c78658ef
add built js files to eslint ignore (#30737)
For the rare case that some overzealous tooling wants to lint our output
files.

(cherry picked from commit d89bf3d3ec933c11f4ee7e4e714804d5815afa75)
2024-05-05 08:22:50 +01:00
JakobDev d50efa626a Show repo count in blocked users tab (#3601)
Fixes #3595

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3601
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
2024-05-02 15:51:27 +00:00
Earl Warren 9bc866124b Merge pull request 'Use PostFormValue instead of PostForm.Get' (#3563) from algernon/forgejo:s/Req.PostForm.Get/Req.PostFormValue/g into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3563
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-02 15:48:28 +00:00
Gergely Nagy b08aef967e
Use PostFormValue instead of PostForm.Get
In `repo.RemoveDependency`, use `PostFormValue` instead of
`PostForm.Get`. The latter requires `ParseForm()` to be called prior,
and in this case, has no benefit over `PostFormValue` anyway (which
calls `ParseForm()` if necessary).

While this currently does not cause any issue as far as I can tell, it
feels like a bug lying in wait for the perfect opportunity. Lets squash
it before it can do harm.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-02 10:51:07 +02:00
Earl Warren cd6ae89cd9 Merge pull request 'markup: Allow cross references to contain URL query parameters too' (#3584) from algernon/forgejo:a-capture-group-a-day-keeps-the-query-params-away into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3584
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-02 01:15:35 +00:00
Gergely Nagy 8164ef9762
markup: Allow cross references to contain URL query parameters too
Adjust the `anyHashPattern` to match URL query parameters too, and
adjust `fullHashPatternProcessor` accordingly.

Includes a test case, and an update to an existing one to account for
the new capture group.

Fixes #3548.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 21:14:16 +02:00
0ko d096a21da6 Fix inconsistent required field (#3583)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3583
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-01 18:29:42 +00:00
varp0n 4a2959b3ec FIX gogs migration if gogs is hosted at a subpath (#3572)
Also add a test for GogsDownloaderFactory.New() to make sure
that the URL of the source repository is parsed correctly.

When the source gogs instance is hosted at a subpath like `https://git.example.com/gogs/<username>/<reponame>` the migration fails.
This PR fixes that.

Co-authored-by: hecker <tomas.hecker@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3572
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: varp0n <tom@gkstn.de>
Co-committed-by: varp0n <tom@gkstn.de>
2024-05-01 16:28:44 +00:00
Earl Warren c6cc1430a9 Merge pull request 'docs(release-notes): 7.0.2' (#3561) from earl-warren/forgejo:wip-release-notes-v7.0 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3561
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-05-01 12:59:00 +00:00
Earl Warren a050b546b9
[skip ci] docs(release-notes): 7.0.2 2024-05-01 14:22:18 +02:00
Earl Warren 39732d74c9 Merge pull request 'Fix Issue watching / unwatching on the web ui' (#3562) from algernon/forgejo:vogon-poetry into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3562
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: crystal <crystal@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 10:35:48 +00:00
Gergely Nagy 21911bfe57
Add a test case for unsubscribing from an issue
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 11:06:38 +02:00
Gergely Nagy 8cc5d5dc78
tests: Support creating a declarative repo without AutoInit
To be able to easily test cases where the repository does not have any
code, where the git repo itself is completely uninitialized, lets
support a case where the `AutoInit` property is false.

For the sake of backwards compatibility, if the option is not set either
way, it will default to `true`.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 11:06:38 +02:00
Gergely Nagy 632a274b8f
Fix Issue watching / unwatching on the web ui
When subscribing or unsubscribing to/from an issue on the web ui, the
request was posted to a route handled by `repo.IssueWatch`. This
function used `ctx.Req.PostForm.Get()`, erroneously.

`request.PostForm` is *only* available if `request.ParseForm()` has been
called before it. The function in question did not do that. Under some
circumstances, something, somewhere did end up calling `ParseForm()`,
but not in every scenario.

Since we do not need to check for multiple values, the easiest fix here
is to use `ctx.Req.PostFormValue`, which will call `ParseForm()` if
necessary.

Fixes #3516.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 11:04:54 +02:00
Earl Warren 97ef18db65 Merge pull request 'Update dependency vue to v3.4.26' (#3439) from renovate/vue-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3439
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 08:08:52 +00:00
Earl Warren f11957b8f4
chore(renovate): vue patch releases can be automerged 2024-05-01 09:32:01 +02:00
Renovate Bot bb5395cd29
Update dependency vue to v3.4.26 2024-05-01 09:30:24 +02:00
Earl Warren 0978095a37 Merge pull request 'Update ghcr.io/visualon/renovate Docker tag to v37.330.1' (#3490) from renovate/ghcr.io-visualon-renovate-37.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3490
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 07:26:21 +00:00
Earl Warren cf16782338 Merge pull request 'Update dependency dayjs to v1.11.11' (#3545) from renovate/dayjs-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3545
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-05-01 07:25:09 +00:00
Earl Warren 8f93ac7e7a Merge pull request 'feat: UI: use full screen height for displaying pdf files' (#3434) from Beowulf/forgejo:full-screen-height-pdf into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3434
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 07:03:15 +00:00
Earl Warren 756bb7f6e1 Merge pull request 'UI: Actions: Replace runs list description semicolon' (#3534) from n0toose/settings/runs-list-colon-brist into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3534
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 06:59:53 +00:00
Earl Warren ee52a8e805 Merge pull request '[I18N] Fix tepository->repository typo' (#3539) from proton-ab/forgejo:patch-1 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3539
Reviewed-by: Otto <otto@codeberg.org>
2024-05-01 06:58:48 +00:00
Earl Warren a454954bd0 Merge pull request 'Update dependency vitest to v1.5.3' (#3576) from renovate/vitest-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3576
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 06:37:39 +00:00
Renovate Bot 9a581e70a1 Update dependency vitest to v1.5.3 2024-05-01 06:03:44 +00:00
Renovate Bot 15978d4d07 Update ghcr.io/visualon/renovate Docker tag to v37.330.1 2024-05-01 06:02:32 +00:00
Earl Warren 288747c660 Merge pull request 'Fix SQL command with too many placeholders' (#3570) from algernon/forgejo:many-question-marks-handle-it into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3570
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 05:24:08 +00:00
Gergely Nagy 33cd8446d3
Performance improvement for FindReposLastestCommitStatuses
If `commitstatus_service.FindReposLastestCommitStatuses` receives no
repos in its params, short-circuit, and return early, without performing
any potentially expensive work.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 00:34:48 +02:00
Gergely Nagy 0d029ebe6d
Fix git_model.FindBranchesByRepoAndBranchName
When a logged in user with no repositories visits their dashboard, it will
display a search box that lists their own repositories.

This is served by the `repo.SearchRepos` handler, which in turn calls
`commitstatus_service.FindReposLastestCommitStatuses()` with an empty
repo list.

That, in turn, will call `git_model.FindBranchesByRepoAndBranchName()`,
with an empty map. With no map, `FindBranchesByRepoAndBranchName()` ends
up querying the entire `branch` table, because no conditions were set
up.

Armed with a gazillion repo & commit shas, we return to
`FindReposLastestCommitStatuses`, and promptly call
`git_model.GetLatestCommitStatusForPairs`, which constructs a monstrous
query with so many placeholders that the database tells us to go
somewhere else, and flips us off. At least on instances the size of
Codeberg. On smaller instances, it will eventually return, and throw
away all the data, and return an empty set, having performed all this
for naught.

We fix this by short-circuiting `FindBranchesByRepoAndBranchName`, and
returning fast if our inputs are empty.

A test case is included.

Fixes #3521.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 00:34:39 +02:00
0ko abcb23a838 Merge pull request 'Cumulative English locale improvements' (#3266) from 0ko/forgejo:i18n-20240416 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3266
Reviewed-by: Otto <otto@codeberg.org>
2024-04-30 14:49:48 +00:00
Earl Warren f7b53ef959 Merge pull request 'Fix user mention processing' (#3565) from algernon/forgejo:call-me-maybe into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3565
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-30 12:24:07 +00:00
Earl Warren 9a3a3feb4c Merge pull request 'Add inline attachments to comments and prevent double handling of mails' (#3504) from Beowulf/forgejo:mail-inline-attachments-not-added-to-comment into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3504
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-30 12:19:42 +00:00
Gergely Nagy 9a01062ae2
Fix user mention processing
When mentioning a user, the markup post-processor did not handle the
case where the mentioned user did not exist well: it tried to skip to
the next node, which in turn, ended up skipping the rest of the line.

To fix this, lets skip just the mentioned, but non-existing user, and
continue processing the current node from there.

Fixes #3535.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-30 12:51:30 +02:00
Beowulf 34134df3a7
added release notes 2024-04-30 12:05:22 +02:00
oliverpool 6ba60f61cb Merge pull request 'fix: webhook: send short ref on gitea create/delete payload' (#3558) from oliverpool/forgejo:webhook_gitea_fix into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3558
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-30 09:10:39 +00:00
Beowulf aeb544aff7
added test for reading inline attachments 2024-04-30 10:47:48 +02:00