mirror of
1
Fork 0
Commit Graph

311 Commits

Author SHA1 Message Date
wxiaoguang ecc0107809
Only use supported sort order for "explore/users" page (#29430) (#29443)
Backport #29430

Thanks to inferenceus : some sort orders on the "explore/users" page
could list users by their lastlogintime/updatetime.

It leaks user's activity unintentionally. This PR makes that page only
use "supported" sort orders.

Removing the "sort orders" could also be a good solution, while IMO at
the moment keeping the "create time" and "name" orders is also fine, in
case some users would like to find a target user in the search result,
the "sort order" might help.

(cherry picked from commit 2b059f493e46b8b0fb52492623e36a8375cb5fbb)
2024-03-10 18:45:59 +07:00
Earl Warren 84449e9288 Merge pull request '[BUG] prevent removing session cookie when redirect_uri query contains ://' (#2606) from oliverpool/forgejo:backport2590 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2606
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-03-08 15:07:50 +00:00
oliverpool 20bc8662b1 [BUG] prevent removing session cookie when redirect_uri query contains :// 2024-03-07 22:41:47 +01:00
Gergely Nagy 969d3f4410
Fix `/api/v1/{owner}/{repo}/issue_templates`
Backport of #2292

When issue templates were moved into services in
def4956122, the code was also refactored
and simplified. Unfortunately, that simplification broke the
`/api/v1/{owner}/{repo}/issue_templates` route, because it was
previously using a helper function that ignored invalid templates, and
after the refactor, the function it called *always* returned non-nil as
the second return value. This, in turn, results in the aforementioned
end point always returning an internal server error.

This change restores the previous behaviour of ignoring invalid files
returned by `issue.GetTemplatesFromDefaultBranch`, and adds a few test
cases to exercise the endpoint.

Other users of `GetTemplatesFromDefaultBranch` already ignore the second
return value, or handle it correctly, so no changes are necessary there.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit be8d16438a)
2024-03-07 21:50:27 +01:00
Gusted 5d5059f42c Merge pull request '[BUG] Correct changed files for codeowners' (#2519) from gusted/forgejo-bp-2507 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2519
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 23:18:08 +00:00
Gusted 9b70caf798
[BUG] Correct changed files for codeowners
- Backport of #2507
- The CODEOWNER feature relies on the changed files to determine which
reviewers should be added according to the `CODEOWNER` file.
- The current approach was to 'diff' between the base and head branch,
which seems logical but fail in practice when the pull request is out of
date with the base branch. Therefore it should instead diff between the
head branch and the merge base of the head and base branch, so only the
actual affected files by the pull requests are used, the same approach
is used by the diff of an unmerged pull request.
- Add integration testing (for the feature as well).
- Resolves #2458

(cherry picked from commit fb2795b5bb)
2024-02-28 20:13:20 +01:00
Gusted 9955e38fa2
[BUG] Remember topic only in repo search
- Backport of #2489
- If the user is searching repositories with an specific topic, adding
any other filter option, such as showing unrelevant repositories or
using another sort Forgejo should remember that 'topic only' was set.
- Adds integration test.
- Resolves #2461

(cherry picked from commit b4360d504c)
2024-02-27 23:37:26 +01:00
Gusted d3de80b9cc
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
2024-02-22 15:35:04 +01:00
Gusted 92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
6543 8377ecbfe1
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit c01b266d8680a270b1e8067e757ed25be38eea24)
2024-02-20 09:39:02 +01:00
oliverpool 07bc099401 [BUG] split code conversations in diff tab (#2306)
Follow-up of #2282 and #2296 (which tried to address #2278)

One of the issue with the previous PR is that when a conversation on the Files tab was marked as "resolved", it would fetch all the comments for that line (even the outdated ones, which should not be shown on this page - except when explicitly activated).

To properly fix this, I have changed `FetchCodeCommentsByLine` to `FetchCodeConversation`. Its role is to fetch all comments related to a given (review, path, line) and reverted my changes in the template (which were based on a misunderstanding).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2306
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
2024-02-16 14:06:43 +01:00
Earl Warren ce96379aef
[ACTIONS] skip superflous pull request synchronized event (#2314)
Skip a HookEventPullRequestSync event if it has the same CommitSHA as an existing HookEventPullRequest event in the ActionRun table. A HookEventPullRequestSync event must only create an ActionRun if the CommitSHA is different from what it was when the PR was open.

This guards against a race that can happen when the following is done in parallel:

* A commit C is pushed to a repo on branch B
* A pull request with head on branch B

it is then possible that the pull request is created first, successfully. The commit that was just pushed is not known yet but the PR only references the repository and the B branch so it is fine.

A HookEventPullRequest event is sent to the notification queue but not processed immediately.

The commit C is pushed and processed successfully. Since the PR already exists and has a head that matches the branch, the head of the PR is updated with the commit C and a HookEventPullRequestSync event is sent to the notification queue.

The HookEventPullRequest event is processed and since the head of the PR was updated to be commit C, an ActionRun with CommitSHA C is created.

The HookEventPullRequestSync event is then processed and also has a CommitSHA equal to C.

Refs: https://codeberg.org/forgejo/forgejo/issues/2009
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2314
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
(cherry picked from commit 7b4dba3aa0)

Conflicts:
	services/actions/notifier_helper.go
	tests/integration/actions_trigger_test.go
	trivial context conficts
	services/actions/main_test.go is different in v1.21
2024-02-13 12:00:27 +01:00
oliverpool d5bb14de66 [GITEA] add test showing bug on resolving invalidated review comment 2024-02-04 12:44:13 +01:00
Giteabot b272224918
Preserve BOM in web editor (#28935) (#28959)
Backport #28935 by @silverwind

The `ToUTF8*` functions were stripping BOM, while BOM is actually valid
in UTF8, so the stripping must be optional depending on use case. This
does:

- Add a options struct to all `ToUTF8*` functions, that by default will
strip BOM to preserve existing behaviour
- Remove `ToUTF8` function, it was dead code
- Rename `ToUTF8WithErr` to `ToUTF8`
- Preserve BOM in Monaco Editor
- Remove a unnecessary newline in the textarea value. Browsers did
ignore it, it seems but it's better not to rely on this behaviour.

Fixes: https://github.com/go-gitea/gitea/issues/28743
Related: https://github.com/go-gitea/gitea/issues/6716 which seems to
have once introduced a mechanism that strips and re-adds the BOM, but
from what I can tell, this mechanism was removed at some point after
that PR.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit b8e6cffd31)
2024-01-31 14:18:26 +01:00
FuXiaoHei d11597a615
Fix uploaded artifacts should be overwritten (#28726) backport v1.21 (#28832)
Backport https://github.com/go-gitea/gitea/pull/28726 by @fuxiaohei

Fix Uploaded artifacts should be overwritten
https://github.com/go-gitea/gitea/issues/28549

When upload different content to uploaded artifact, it checks that
content size is not match in db record with previous artifact size, then
the new artifact is refused.

Now if it finds uploading content size is not matching db record when
receiving chunks, it updates db records to follow the latest size value.

(cherry picked from commit 7f0ce2dfc7)
2024-01-31 14:18:25 +01:00
Giteabot e2620642bd
Prevent anonymous container access if `RequireSignInView` is enabled (#28877) (#28882)
Backport #28877 by @KN4CK3R

Fixes #28875

If `RequireSignInView` is enabled, the ghost user has no access rights.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit b7c944b9e4)
2024-01-31 14:18:25 +01:00
Gusted 3d3790ef4c
[MODERATION] Refactor excluding watchers mechanism (squash)
Backport of #2143

This solves two bugs. One bug is that due to the JOIN with the
`forgejo_blocked_users` table, duplicated users were generated if a user
had more than one user blocked, this lead to receiving more than one
entry in the actions table. The other bug is that if a user blocked more
than one user, it would still receive a action entry by a
blocked user, because the SQL query would not exclude the other
duplicated users that was generated by the JOIN.

The new solution is somewhat non-optimal in my eyes, but it's better
than rewriting the query to become a potential perfomance blocker (usage
of WHERE IN, which cannot be rewritten to a JOIN). It simply removes the
watchers after it was retrieved by the SQL query.

(cherry picked from commit c63c00b39b)
2024-01-22 21:01:08 +01:00
Gusted 3c7a955f05
[GITEA] Fix NPE in `UsernameSubRoute`
- Backport of #1981
- When the user is not found in `reloadparam`, early return when the
user is not found to avoid calling `IsUserVisibleToViewer` which in turn
avoids causing a NPE.
- This fixes the case that a 500 error and 404 error is shown on the
same page.
- Add integration test for non-existant user RSS.
- Regression by c6366089df

(cherry picked from commit f0e0696278)
(cherry picked from commit 75d8066908)
(cherry picked from commit 4d0a1e0637)
(cherry picked from commit 5f40a485da)
(cherry picked from commit c4cb7812e3)
2024-01-18 15:31:04 +01:00
Giteabot 70c7ee5475
Modernize merge button (#28140) (#28786)
Backport #28140 by @earl-warren

- Make use of the `form-fetch-action` for the merge button, which will
automatically prevent the action from happening multiple times and show
a nice loading indicator as user feedback while the merge request is
being processed by the server.
- Adjust the merge PR code to JSON response as this is required for the
`form-fetch-action` functionality.
- Resolves https://codeberg.org/forgejo/forgejo/issues/774
- Likely resolves the cause of
https://codeberg.org/forgejo/forgejo/issues/1688#issuecomment-1313044

(cherry picked from commit 4ec64c19507caefff7ddaad722b1b5792b97cc5a)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit fbf29f29b5)
2024-01-16 14:40:18 +00:00
Jack Hay 0841fb63a1
Require token for GET subscription endpoint (#28765) (#28778)
Backport #28765 for 1.21

(cherry picked from commit 56e722f825)
2024-01-16 14:39:40 +00:00
Giteabot 01285dc47c
Fix incorrect URL for "Reference in New Issue" (#28716) (#28723)
Backport #28716 by wxiaoguang

Gitea prefers to use relative URLs in code (to make multiple domain work
for some users)

So it needs to use `toAbsoluteUrl` to generate a full URL when click
"Reference in New Issues"

And add some comments in the test code

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit def178ce32)

Conflicts:
	tests/integration/issue_test.go
	https://codeberg.org/forgejo/forgejo/issues/2158
2024-01-16 14:37:07 +00:00
Giteabot 0a157ed950
Upgrade xorm to new version which supported update join for all supported databases (#28590) (#28668)
Backport #28590 by @lunny

Fix https://github.com/go-gitea/gitea/pull/28547#issuecomment-1867740842

Since https://gitea.com/xorm/xorm/pulls/2383 merged, xorm now supports
UPDATE JOIN.
To keep consistent from different databases, xorm use
`engine.Join().Update`, but the actural generated SQL are different
between different databases.

For MySQL, it's `UPDATE talbe1 JOIN table2 ON join_conditions SET xxx
Where xxx`.

For MSSQL, it's `UPDATE table1 SET xxx FROM TABLE1, TABLE2 WHERE
join_conditions`.

For SQLITE per https://www.sqlite.org/lang_update.html, sqlite support
`UPDATE table1 SET xxx FROM table2 WHERE join conditions` from
3.33.0(2020-8-14).

POSTGRES is the same as SQLITE.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 18da3f8483)
2024-01-16 14:16:55 +00:00
Gusted fe3b294f7b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit eff097448b)

[GITEA] rework long-term authentication (squash) add migration

Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
(cherry picked from commit d8bc98a8f0)
(cherry picked from commit 6404845df9)
(cherry picked from commit 72bdd4f3b9)
(cherry picked from commit 4b01bb0ce8)
(cherry picked from commit c26ac31816)
(cherry picked from commit 8d2dab94a6)

Conflicts:
	routers/web/auth/auth.go
	https://codeberg.org/forgejo/forgejo/issues/2158
2024-01-16 14:14:46 +00:00
Earl Warren d694579bdf
Revert "[GITEA] rework long-term authentication"
This reverts commit 8d2dab94a6.
2024-01-16 14:11:28 +00:00
Gusted 120294c44e
[GITEA] Use maintained gziphandler
- https://github.com/NYTimes/gziphandler doesn't seems to be maintained
anymore and Forgejo already includes
https://github.com/klauspost/compress which provides a maintained and
faster gzip handler fork.
- Enables Jitter to prevent BREACH attacks, as this *seems* to be
possible in the context of Forgejo.

(cherry picked from commit cc2847241d)
(cherry picked from commit 99ba56a876)

Conflicts:
	go.sum
	https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit 711638193d)
(cherry picked from commit 9c12a37fde)
(cherry picked from commit 91191aaaed)
(cherry picked from commit 72be417f84)
(cherry picked from commit 98497c84da)
(cherry picked from commit fba042adb5)
(cherry picked from commit dd2414f226)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/2016
2024-01-16 14:09:55 +00:00
wxiaoguang 265cd70bdb
Refactor CORS handler (#28587) (#28611)
Backport #28587, the only conflict is the test file.

The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098

(cherry picked from commit 7a2786ca6c)
2024-01-16 14:08:38 +00:00
Earl Warren 0b872a403d
Revert "[GITEA] Use maintained gziphandler"
This reverts commit dd2414f226.
2024-01-16 14:08:31 +00:00
Earl Warren b856b108e9
Revert "[GITEA] Make reference URL absolute"
This reverts commit a8ce03660f.
2024-01-16 13:42:39 +00:00
Gergely Nagy 49efd192e9
tests: More testing in TestDatabaseMissingABranch
In the `TestDatabaseMissingABranch` testcase, make sure that the
branches are in sync between the db and git before deleting a branch via
git, then compare the branch count from the web UI, making sure that it
returns an out-of-sync value first, and the correct one after another
sync.

This is currently tested by scraping the UI, and relies on the fact that
the branch counter is out of date before syncing. If that issue gets
resolved, we'll have to adjust the test to verify the sync another way.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-01-15 00:15:24 +01:00
Gergely Nagy 754f97b1e2
tests: Add a testcase for missing branches
This tests the scenario reported in Codeberg/Community#1408: a branch
that is recorded in the database, but missing on disk was causing
internal server errors. With recent changes, that is no longer the case,
the error is logged and then ignored.

This test case tests this behaviour, that the repo's branches page on
the web UI functions even if the git branch is missing.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-01-15 00:15:22 +01:00
Gusted ab1ccc55dc
[GITEA] Fix panic in `canSoftDeleteContentHistory`
- Backport of #2134
- It's possible that `canSoftDeleteContentHistory` is called without
`ctx.Doer` being set, such as an anonymous user requesting the
`/content-history/detail` endpoint.
- Add a simple condition to always set to `canSoftDelete` to false if an
anonymous user is requesting this, this avoids a panic in the code that
assumes `ctx.Doer` is set.
- Added integration testing.

(cherry picked from commit 0b5db0dcc6)
2024-01-13 22:05:35 +01:00
Gusted 316b633e62 Merge pull request '[GITEA] Make reference URL absolute' (#2104) from gusted/forgejo-bp-2100 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2104
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-01-06 19:49:11 +00:00
Gusted a8ce03660f
[GITEA] Make reference URL absolute
- Backport of #2100
- Make the reference URL in the "Reference in New issue" feature
absolute again as it wouldn't render as a link otherwise.
- Adds integration test.
- Regression by 769be877f2
- Resolves #2012

(cherry picked from commit c74bae2897)
2024-01-06 20:16:52 +01:00
Gusted b473a44a2b
[GITEA] Check for Commit in opengraph
- Backport of #2094
- It's possible that `PageIsDiff` is set but not `Commit` resulting in a
NPE in the template. This can happen when the requested commit doesn't exist.
- Regression of c802c46a9b &
5743d7cb5b
- Added 'hacky' integration test.

(cherry picked from commit 8db2d5e4a7)
2024-01-05 14:26:20 +01:00
Gusted 0fbf761d19
[GITEA] Handle non-existant commit in Archive request
- When a user requests a archive of a non-existant commit
`git.ErrNotExist` is returned, but was not gracefully handled resulting
in a 500 error.
- Doesn't exist in v1.22 due to it being refactored away in
cbf923e87b
- Adds integration test.
2024-01-04 23:56:33 +01:00
Gusted cbe94214e9 [GITEA] Remove redundant `syncBranchToDB`
- The transaction in combination with Git push was causing deadlocks if
you had the `push_update` queue set to `immediate`. This was the root
cause of slow integration tests in CI.
- Remove the sync branch code as this is already being done in the Git
post-receive hook.
- Add tests to proof the branch models are in sync even with this code
removed.

Backport of https://codeberg.org/forgejo/forgejo/pulls/1962

(cherry picked from commit a064065cb9)
2023-12-21 11:07:41 +00:00
Lunny Xiao 3b672c9791
Do some missing checks (#28423) (#28432)
backport #28423

(cherry picked from commit 265f485295)
2023-12-12 15:21:33 +01:00
Lunny Xiao 14750f3d11
Also sync DB branches on push if necessary (#28361) (#28403)
Fix #28056
Backport #28361

This PR will check whether the repo has zero branch when pushing a
branch. If that, it means this repository hasn't been synced.

The reason caused that is after user upgrade from v1.20 -> v1.21, he
just push branches without visit the repository user interface. Because
all repositories routers will check whether a branches sync is necessary
but push has not such check.

For every repository, it has two states, synced or not synced. If there
is zero branch for a repository, then it will be assumed as non-sync
state. Otherwise, it's synced state. So if we think it's synced, we just
need to update branch/insert new branch. Otherwise do a full sync. So
that, for every push, there will be almost no extra load added. It's
high performance than yours.

For the implementation, we in fact will try to update the branch first,
if updated success with affect records > 0, then all are done. Because
that means the branch has been in the database. If no record is
affected, that means the branch does not exist in database. So there are
two possibilities. One is this is a new branch, then we just need to
insert the record. Another is the branches haven't been synced, then we
need to sync all the branches into database.

(cherry picked from commit 87db4a47c8)
2023-12-12 15:21:33 +01:00
Earl Warren 4148fb27db
[GITEA] GetScheduledMergeByPullID may involve a system user
Refs: https://codeberg.org/forgejo/forgejo/issues/1897
(cherry picked from commit ddc3c22558)
2023-12-11 18:43:03 +01:00
Giteabot ce3a24ef5f
Add `HEAD` support for rpm repo files (#28309) (#28360)
Backport #28309 by @KN4CK3R

Fixes https://codeberg.org/forgejo/forgejo/issues/1810

zypper uses HEAD requests to check file existence.

https://github.com/openSUSE/libzypp/blob/HEAD/zypp/RepoManager.cc#L2549

https://github.com/openSUSE/libzypp/blob/HEAD/zypp-curl/ng/network/private/downloaderstates/basicdownloader_p.cc#L116

@ExplodingDragon fyi

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 5105d2093c)
2023-12-08 13:41:16 +01:00
Gusted 114f18f105
[GITEA] Make pagination test more robust (squash)
- Backport #1882
- Be more specific of which element we want and also don't include the
href into the selector, so if the value changes, it will show the value
that was rendered.
- Ensure stable order of passed repository IDs.
- Resolves codeberg.org/forgejo/forgejo/issues/1880

(cherry picked from commit 79bc4cffe5)
2023-12-05 18:47:19 +01:00
Gusted 2552bb7b6e [GITEA] Only pass selected repository IDs to pagination
- Backport of https://codeberg.org/forgejo/forgejo/pulls/1848
- `ReposParam` is passed to the pagination as value for the `repos`
query. It should paginate to other pages with only the selected
repositories, which was currently not the case, but was already the case
for the links in the selectable items.
- Fix the wrong value being passed for issues/pulls lists.
- Fix the formatting of repository query value for milestones lists.
- Added integration testing.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1836

(cherry picked from commit c648e5ab3a)
2023-12-01 19:59:21 +00:00
Gergely Nagy 1fea3ce659 [GITEA] new doctor check: fix-push-mirrors-without-git-remote (#1853)
Same as https://codeberg.org/forgejo/forgejo/pulls/1853, backported to v1.21/forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1864
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2023-12-01 13:56:03 +00:00
Antonin Delpeuch e6fb2107f2 [GITEA] oauth2: use link_account page when email/username is missing (#1757)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1757
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
(cherry picked from commit 0f6e0f9035)
2023-11-30 15:40:12 +01:00
Loïc Dachary ab7e649668
test GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
(cherry picked from commit aceeca55da)
2023-11-26 14:12:06 +01:00
Loïc Dachary e140c5c983
test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
(cherry picked from commit 65b942fa1e)
2023-11-26 14:11:46 +01:00
Loïc Dachary 68da5a9cd8
test POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98)
(cherry picked from commit 6707c08c17)
2023-11-26 14:11:03 +01:00
Lunny Xiao f4310d74ee
Fix comment permissions (#28213) (#28216)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit bc3d8bff73)
2023-11-26 13:56:50 +01:00
Earl Warren e672322ca8
[MODERATION] User blocking (squash) do not use shared fixture
It conflicts with a fixtured added in the commit
Fix comment permissions (#28213) (#28216)
2023-11-26 13:56:00 +01:00
Giteabot 702ef8d12f
Fix permissions for Token DELETE endpoint to match GET and POST (#27610) (#28099)
Backport #27610 by @evantobin

Fixes #27598

In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds
unit tests

Co-authored-by: Evan Tobin <me@evantob.in>
(cherry picked from commit 93ede4bc83)
2023-11-22 17:12:11 +01:00