mirror of
1
Fork 0
Commit Graph

19218 Commits

Author SHA1 Message Date
Mai-Lapyst e9eacdecd2
Fix issue where rendering stops after the first invalid parmalink 2024-04-19 18:21:21 +02:00
Gergely Nagy 8eba631f8d
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-19 16:53:14 +02:00
0ko 67d6c674df Merge pull request 'Remove EasyMDE from various areas' (#2916) from 0ko/forgejo:easymde into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2916
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-19 13:48:34 +00:00
Earl Warren b05a7809b5 Merge pull request 'fix(tests): 30s to cancel processes to avoid false negatives' (#3317) from earl-warren/forgejo:wip-cancel-test into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3317
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-04-19 12:48:41 +00:00
Earl Warren 0342b7fdcd Merge pull request '[RELEASE] v1.21.11-1 release notes' (#3330) from earl-warren/forgejo:wip-release-notes-1.21 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3330
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-04-19 11:49:03 +00:00
Earl Warren af7decae18 Merge pull request 'Update citation-js monorepo to v0.7.11' (#3321) from renovate/citation-js-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3321
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-19 11:08:57 +00:00
Earl Warren 080f1e8250
[RELEASE] v1.21.11-1 release notes 2024-04-19 13:00:57 +02:00
Gusted b6992ed6b9 Merge pull request 'services: Use proper Message-IDs for release mails' (#3309) from algernon/forgejo:are-we-dot-atom-text-yet into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3309
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-19 08:35:17 +00:00
Renovate Bot 82ec2a65e0 Update citation-js monorepo to v0.7.11 2024-04-19 00:02:54 +00:00
Earl Warren 9a80f6b57e Merge pull request 'v1.21.11-0 release notes' (#3287) from crystal/forgejo:pr/releasenotes-1.21.11-0 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3287
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-18 20:14:21 +00:00
Earl Warren 77843135b0
slight wording change and most serious fix first 2024-04-18 21:57:53 +02:00
crystal 2b2c0f1ae2
add security fixes details, link to compare 2024-04-18 12:37:59 -06:00
Earl Warren d335a3330f Merge pull request 'ci(renovate): fix step names (take 2)' (#3318) from earl-warren/forgejo:wip-renovate-run into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3318
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-18 18:17:16 +00:00
Earl Warren 9303f8e72d
ci(renovate): fix step names (take 2) 2024-04-18 20:08:27 +02:00
Earl Warren 6316e21be2
fix(tests): 30s to cancel processes to avoid false negatives
on slower machines it can take more than 1 second to cancel leftover
tasks
2024-04-18 18:47:49 +02:00
Otto Richter 87d4746f5e Rename button to "Finish Review"
Motivation: The meaning of the button is apparent from the visual
position and the number icon. This is not exposed to a screenreader.
Naming it to "Finish Review" helps with to provide the meaning of the
button as well as the number in the label.
2024-04-18 16:21:30 +02:00
Otto Richter 187e10d8c9 Fix unlabelled button in code review 2024-04-18 16:20:29 +02:00
Earl Warren c7b8a434c3 Merge pull request 'ci(renovate): fix step names' (#3311) from viceice/forgejo:ci/renovate/fix-step-names into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3311
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-18 14:04:19 +00:00
Earl Warren b58474173a Merge pull request 'Update ghcr.io/visualon/renovate Docker tag to v37.305.0' (#3312) from renovate/ghcr.io-visualon-renovate-37.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3312
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-18 13:54:22 +00:00
crystal 95fa27374b
typo 2024-04-18 07:27:48 -06:00
Gergely Nagy b0c0167c54
services: Use proper Message-IDs for release mails
When sending notification emails about a release, use a properly
formatted, RFC-compliant message id, rather than the release's HTML URL
wrapped in angle brackets (which would not be compliant).

Fixes #3105.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-18 13:44:18 +02:00
Renovate Bot 0f078ba4c9 Update ghcr.io/visualon/renovate Docker tag to v37.305.0 2024-04-18 11:25:53 +00:00
Michael Kriese 1f4915692b
ci(renovate): fix step names 2024-04-18 13:22:51 +02:00
Renovate Bot ca2473e895 Update ghcr.io/visualon/renovate Docker tag to v37.303.2 2024-04-17 16:05:21 +00:00
Earl Warren bc3e66097c Merge pull request 'fix(release): add missing ARG RELEASE_VERSION' (#3290) from earl-warren/forgejo:wip-oci-labels into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3290
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 15:51:36 +00:00
Earl Warren 97189d41f3
fix(release): add missing ARG RELEASE_VERSION
The ARG RELEASE_VERSION set in the build-env image does not propagate
to the images that follow. As a result the value of the version label
is always empty.

This should have been caught by the test in the CI but although it
notified the problem in the output, it did not fail. Upgrade to the
forgejo-build-publish version that fixes this false positive.
2024-04-17 17:16:53 +02:00
crystal 0ff5be49ab
[RELEASE] v1.21.11-0 release notes 2024-04-17 05:45:41 -06:00
Earl Warren d07f12e010 Merge pull request 'Do not require login_name & source_id for /admin/user/{username}' (#3278) from algernon/forgejo:leave-your-name-at-the-door into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3278
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 11:05:13 +00:00
Mai-Lapyst 5b6b3f3fb3
Fix some edge cases; closes #3232
- Fixes wrong usage of AppURL
- Fixes wrong rendering with extra path segments when AppSubURL is empty
- Now also renders all links when 2+ permalinks are present
2024-04-17 13:02:48 +02:00
Earl Warren 618e517d4c Merge pull request 'Update dependency vue to v3.4.23' (#3280) from renovate/vue-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3280
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 10:32:43 +00:00
Earl Warren c2f2858363 Merge pull request 'chore(renovate): schedule some deps quarterly' (#3284) from viceice/forgejo:chore/renovate-schedule into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3284
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 10:16:50 +00:00
Gergely Nagy dc39043cd6
Change the default SSH clone url to the ssh:// style
Rather than using an scp-style URI, use the same URL style for SSH
clones as for HTTP(S) ones. This is not only more consistent, but the
URL style allows one to specify a port, and makes it clear that it is an
SSH clone URL.

git itself favours the URL style, and mentions the scp-style in passing
only. Said style is prominently used by GitHub, and might be more
familiar for a lot of people, but other than familiarity, it has no
advantage over the URL style.

For the benefit of consistency, and flexibility, lets flip the default,
and make it the URL style. Instance admins who prefer to use the
scp-style, and are running SSH on its standard port, can change the
setting back to false.

This addresses #3193.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-17 11:04:48 +02:00
Gergely Nagy d07c8c821c
Do not require login_name & source_id for /admin/user/{username}
When editing a user via the API, do not require setting `login_name` or
`source_id`: for local accounts, these do not matter. However, when
editing a non-local account, require *both*, as before.

Fixes #1861.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-17 10:33:52 +02:00
Michael Kriese bb0daa9522
chore(renovate): schedule some deps quarterly 2024-04-17 09:24:59 +02:00
Earl Warren e4aa7bd511 Merge pull request 'webhook: improve UX for sourcehut and matrix' (#3156) from oliverpool/forgejo:webhook_sourcehut_polish into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3156
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 06:39:54 +00:00
Gergely Nagy ea4071ca9f Allow admins to fork repos even when creation limits are exhausted (#3277)
This is a continuation of #2728, with a test case added.

Fixes #2633.

I kept @zareck 's commit as is, because I believe it is correct. We can't move the check to `owner.CanForkRepo()`, because `owner` is the future owner of the forked repo, and may be an organization. We need to check the admin permission of the `doer`, like in the case of repository creation.

I verified that the test fails without the `ForkRepository` change, and passes with it.

Co-authored-by: Cassio Zareck <cassiomilczareck@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3277
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-17 05:52:02 +00:00
Earl Warren 33d0617538 Merge pull request 'feat(release): add OCI labels to container images' (#3261) from earl-warren/forgejo:wip-oci-labels into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3261
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 05:46:36 +00:00
Earl Warren a003691c7b Merge pull request 'Allow changing global wiki editability via the API' (#3276) from algernon/forgejo:let-the-api-control-your-wiki-editability into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3276
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 05:46:10 +00:00
Renovate Bot a5c0643d13 Update dependency vue to v3.4.23 2024-04-17 00:04:27 +00:00
Gusted 787bc6ed94 Merge pull request 'Update dependency @stylistic/eslint-plugin-js to v1.7.2' (#3251) from renovate/stylistic-eslint-plugin-js-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3251
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-16 20:59:10 +00:00
Gergely Nagy df8e58c5cb
Allow changing global wiki editability via the API
The global wiki editability can be set via the web UI, this patch makes
it possible to set the same thing via the API too. This is accomplished
by adjusting the GET and PATCH handlers of the
`/api/v1/repos/{owner}/{repo}` route.

The first will include the property when checking the repo's settings,
the second allows a repo admin to change the setting too.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-16 22:51:36 +02:00
oliverpool ada8bfa52f Merge pull request 'Fix release published actions not triggering for releases created from existing tags' (#3220) from zotan/forgejo:forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3220
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 18:27:59 +00:00
Laura Hausmann 8506dbe2e5
Add tests for webhook release events
Co-authored-by: oliverpool <git@olivier.pfad.fr>
2024-04-16 19:25:26 +02:00
Earl Warren a5a0fc7344 Merge pull request '[BUG] Escape editor.add_tmpl translation' (#3269) from gusted/forgejo-escape-tr into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3269
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 16:19:47 +00:00
Earl Warren 028d19c0fe
feat(release): add OCI labels to container images 2024-04-16 17:50:57 +02:00
Earl Warren a76f71a648 Merge pull request '[BUG] Fix styling of close button' (#3267) from gusted/forgejo-theme-reg into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3267
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-04-16 15:18:03 +00:00
Gusted a0f47b8de7
[BUG] Escape editor.add_tmpl translation
- Previously translations were escaped, but now translations are
accepted as-is and will be rendered as HTML. Use `TrString` to escape
the translation value.
- Adds integration test.
- Regression of 65248945c9.
- Resolves #3260
2024-04-16 15:50:49 +02:00
oliverpool df042909bb Merge pull request '[Port] container.FilterSlice function (gitea#30339 & gitea#30370)' (#3264) from oliverpool/forgejo:port_30339 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3264
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-16 13:12:11 +00:00
Earl Warren 9aa430268b Merge pull request 'Add commit status summary table to reduce query from commit status table' (#3245) from viceice/forgejo:feat/commit-status-summary into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3245
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 12:22:49 +00:00
0ko 41ab13c14f Various improvements to pages: notifications and subscriptions
- fix rounding on /notifications/subscriptions
- add navigation interconnectivity between notifications and subscriptions
- use modern style for tabs
- clearing notificatons: hide the whole form instead of div. It doesn't seem like its changed via JS?
- replace issue-title-buttons and edit-buttons with universal top-right-buttons, get rid of tw-mr-0 helpers
- repo issues: fix misalignments on mobile view
2024-04-16 15:29:28 +05:00