- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- ResolvesCodeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7143
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Encapsulates the federation server counterpart & makes the test more configurable.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7115
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
The error handled might be non-nil only when format is bad, which is 400 (Bad Request)
Fixes#7026
Signed-off-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7029
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com>
Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com>
This adds links to download a directory as archive. This can be useful if you e.g. just want to download a assets directory instead of the full source tree. The logic already exists in the backend, so only the frontend had been changed.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4736
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
It is shown when there's no activity in the feed.
This is a partial implementation of https://github.com/go-gitea/gitea/pull/32990.
Differences:
* drawer icon instead of package icon
* h2 instead of h3
* explore links include a link to organizations list
* explore links are hidden for hidden explore sections
* locales are in JSON, I think it's the time to start using it, the hint is simpler and doesn't lie about following users to get their updates in the feed, which isn't a feature yet
* hint uses general hint color instead of input placeholder color
* the large icon still uses placeholder color, but I think it's ok
Things to improve later:
* use 24px variant of icon. This will require reworking `tools/generate-svg.js`
* the vue part wasn't ported, but it'd be also nice to have
Inspired-by: Kerwin Bryant <kerwin612@qq.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7030
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
closes#6909
related to forgejo/design#14
# Description
Adds the following boolean operators for issues when using an indexer (with minor caveats)
- `+term`: `term` MUST be present for any result
- `-term`: negation; exclude results that contain `term`
- `"this is a term"`: matches the exact phrase `this is a term`
In all cases the special characters may be escaped by the prefix `\`
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6952
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Co-committed-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
- adds the `toml` plugin to the `eslint` linting → expect to have `options/setting/config.toml` by #6862
- fixes `make lint-codespell` commands
- related concerning `codespell`: #3270
- info: codespell check is and was not activated in the workflows (could maybe, runs only few seconds on my system)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7007
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Co-committed-by: Robert Wolff <mahlzahn@posteo.de>
- Some endpoints (`/api/v1/repos/*/*/raw`, `/api/v1/repos/*/*/media`, ...;
anything that uses both `context.ReferencesGitRepo()` and
`context.RepoRefForAPI` really) returned a 500 when the repository was
completely empty. This resulted in some confusion in
https://github.com/datalad/datalad-usage-dashboard/issues/47 because the
same request for a non-existent file in a repository could sometimes
generate a 404 and sometimes a 500, depending on if the git repository
is initialized at all or not.
Returning a 404 is more appropriate here, since this isn't an
unexpected internal error, but just another way of not finding the
requested data.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7003
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Matthias Riße <m.risse@fz-juelich.de>
Co-committed-by: Matthias Riße <m.risse@fz-juelich.de>
- 1ce33aa38d extended the LTA table with a purpose column so it could be extended to other tokens. However some are single-use tokens and should be deleted after use.
- This did not result in a good UX for activating user as they needed to also fill in their passwords and in the case that the password was incorrect the token would no longer be usable.
- This patch modifies the code to allow for a little delay before deleting authorization tokens to do additional verification such as the password check. This cannot be done before the authorization token check as that the authorization token determines who the user is.
- Resolvesforgejo/forgejo#6912
- Adjusted existing unit test.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6937
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
This commit contains UI changes, tests and migrations for a feature
that lets users optionally hide their pronouns from the general
public. This is useful if a person wants to disclose that
information to a smaller set of people on a local instance
belonging to a local community/association.
Co-authored-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6773
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
Co-committed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
- Make it such that `[service].ENABLE_INTERNAL_SIGNIN = false` disables the forgotten password prompt on the login page.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6680
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: davrot <davrot@noreply.codeberg.org>
Co-committed-by: davrot <davrot@noreply.codeberg.org>
- Use a 404 error when the issue not found instead of returning an internal server error.
- Resolves#4005
- Added integration test.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6885
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: ThomasBoom89 <thomasboom89@noreply.codeberg.org>
Co-committed-by: ThomasBoom89 <thomasboom89@noreply.codeberg.org>
Followup to https://codeberg.org/forgejo/forgejo/pulls/6422, resolving issue reported by @SomeTr on Weblate.
When reviewing that PR I assumed that org settings UI also references the name as "Username", but now I checked it and it's actually "Organization name".
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6882
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
Add a "No data available" message to be displayed when the list has no
data. This improves the user experience by providing clear feedback in
an empty state.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a52720b5b4da3e324034312f7fe1e29fd22686cc)
- Instead of checking the login name (which is not set in most cases and really the wrong thing to do here just like it is case sensitive) simply check that the requested user has the same ID as the doer.
- Resolvesforgejo/forgejo#6837
- Add integration test.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6856
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
When migrations are disabled via `[repository].DISABLE_MIGRATIONS = true`, on organisation pages next to the 'New repository' button, the 'New migration' button is still shown.
This is caused by a logic error in the templates: instead of checking for disabled migrations, it checks for disabled pull mirrors. This patch fixes that to use `DisableMigrations` instead of `DisableNewPullMirrors`.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6851
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Daniel Baumann <daniel@debian.org>
Co-committed-by: Daniel Baumann <daniel@debian.org>
- When you use a link in a heading such as `# [Text](link)` (instead of the conventional `# Text`) the TOC should only show `Text` and not `[Text](link)`.
- Use the `mdutil.Text` to only get the text from actual text nodes and not the text that was provided in the markdown input.
- Regression of e2fddcf681
- Resolvesforgejo/forgejo#6847
- Added integration test.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6853
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Exhaustively test each combination of deleting and updating a action
runner via the web route. Although updating an action runner was not
impacted, its good to have a test nonetheless.
Previously an anonymous GET request to e.g.
https://codeberg.org/forgejo/forgejo/HEAD was allowed, as GET requests
are considered pulls and those don't need authentication for a public
repository, but a HEAD request to the same URL was rejected with a 401.
Since the result of a HEAD request is a subset of the result of a GET
request it is safe to allow HEAD as well.
This isn't really a practical issue for Forgejo itself, but I have encountered this in https://codeberg.org/forgejo-aneksajo/forgejo-aneksajo/issues/40. Since the fix isn't git-annex specific I am proposing it here.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [X] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6750
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Matthias Riße <m.risse@fz-juelich.de>
Co-committed-by: Matthias Riße <m.risse@fz-juelich.de>
This PR adds a small icon link to the file history list to open the diff for *only* this file in the respective commit. This is very useful if the commit in question touches a very large amount of files and finding the actual file in the diff is tedious.
- fixes#6596
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6599
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Yann Büchau <nobodyinperson@posteo.de>
Co-committed-by: Yann Büchau <nobodyinperson@posteo.de>
Currently on every pull request Ghost would have a misleading "First-time contributor" role.
Also, if the issue author is a Ghost, all other ghosts who commented will be labeled as authors even if they are different ghosts.
I've added a missing check to abort all other permission and contribution checks early if the user is a ghost. Also applies to other system users, as suggested by @earl-warren.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6766
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
- Make the author search in the issues and pull request list case
insenstive.
- Background: Forgejo mandates that all columns are case senstive and
only SQLite ignores this for ASCII characters with the `LIKE` operator
any other database will indeed do case senstive searching. Codeberg
recently made all columns case senstive, hence why this issue now surfaces.
- Added integration test.
- Resolvesforgejo/forgejo#6744
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6782
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Instead of getting the default branch of the 'code' repository, get the default branch of the wiki repository.
- It's a bug of forgejo/forgejo#2264, likely caused by the confusion between `gitrepo` (the package name) and `gitRepo` (the git repo for the just migrated wiki repository).
- Adjusted existing integration test.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6754
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
This adds an endpoint (`/orgs/{org}/rename`) to rename organizations.
I've modeled the endpoint using the rename user endpoint --
`/admin/users/{username}/rename` -- as base.
It is the 1st time I wrote a new API endpoint (I've tried to follow the
rename users endpoint code while writing it). So feel free to ping me if
there is something wrong or missing.
Resolves#32995
---------
Signed-off-by: Bruno Sofiato <bruno.sofiato@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 040c830dec5c727a56d16df62b1673bce6fca645)
Conflicts:
routers/api/v1/admin/user.go
ignore this unrelated change
templates/swagger/v1_json.tmpl
regenerate
tests/integration/api_org_test.go
port as a standalone test instead of refactoring the tests
* disable the "Finish review" button on PR/files page for archived repos - trying to review PRs in such repos results in JS error
* wrap the button in a div and move tooltips here to make them actually display on a disabled button - currently they do not
* added simple testing
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6729
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
- Currently, the explore/organizations page always defaults to using "newest" as its sort. Instead, use the pre-existing config option (`setting.UI.ExploreDefaultSort`) so server administrators can change the default sort order.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6708
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: John Moon <john.moon@vts-i.com>
Co-committed-by: John Moon <john.moon@vts-i.com>
- #6727 added this test and #6726 modified it to also include webauthn
users. The former was not rebased on the latter when it was merged.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6738
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Don't make an extra database call to gather the 2FA status of the users returned from the search. Only load it for the admin's user list page.
- Integration testing added.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6727
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Render the issue titles in dashboard feed in consistent manner, by using the existing `RenderIssueTitle`.
- Added integration tests (not exhaustive for all comment types, but exhaustive enough for the current code where some comment types are grouped together).
- Resolvesforgejo/forgejo#6705
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6715
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Gusted