Commit graph

3793 commits

Author SHA1 Message Date
Gusted
457564044a
[DB] Ensure forgejo migration up to date (squash)
- Backport https://codeberg.org/forgejo/forgejo/pulls/1849
- Hook Forgejo's `EnsureUpToDate` to Gitea's `EnsureUpToDate`, such that
the Forgejo migrations are also being checked to be up to date.
- I'm not sure how I missed this and if this has caused any problems,
but due to the lack of any open issue about it it seems to not be a big
problem.

(cherry picked from commit 6c65b6dcf6)
2023-11-28 23:28:06 +01:00
Loïc Dachary
381c66ddef
test POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit 6edae51a23)
2023-11-26 06:48:49 +01:00
Lunny Xiao
db0d71ec0f
Fix comment permissions (#28213) (#28217)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit dfd511faf3)
2023-11-26 06:35:50 +01:00
Loïc Dachary
d2de912c95
Revert "fix API usage of a PR index in place of issue index and vice versa"
This reverts commit 3ddfca10ac.
2023-11-26 06:34:40 +01:00
Earl Warren
3380217da1
[TESTS] tests.AddFixtures helper loads additional per-test fixtures
(cherry picked from commit 93a844dd13)
(cherry picked from commit 6d6d1a121c)
(cherry picked from commit 8b101f2860)
(cherry picked from commit 3e56212d6d)
(cherry picked from commit 4f619bc585)
2023-11-25 08:08:37 +01:00
Loïc Dachary
3ddfca10ac
fix API usage of a PR index in place of issue index and vice versa
(cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344)
2023-11-25 07:23:32 +01:00
Giteabot
c0ccd4c2d7
Fix no ActionTaskOutput table waring (#28149) (#28151)
Backport #28149 by @yp05327

Reproduce:
- Create a new Gitea instance
- Register a runner
- Create a repo and add a workflow
- Check the log, you will see warnings:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f1278e0-114b-48bc-8113-8ba1404d9975)
It comes from:

![image](https://github.com/go-gitea/gitea/assets/18380374/c2807831-e137-4229-9536-87f6114c8a5b)

The reason is that we forgot registering `ActionTaskOutput` model.
So `action_table_output` table will be missing in your db.

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 41b2d0be93)
2023-11-22 17:23:43 +01:00
Giteabot
f302373eb4
Restricted users only see repos in orgs which their team was assigned to (#28025) (#28050)
Backport #28025 by @6543

---
*Sponsored by Kithara Software GmbH*

Co-authored-by: 6543 <m.huber@kithara.com>
(cherry picked from commit 439e071acf)
2023-11-22 17:23:33 +01:00
Nanguan Lin
6dfe993913
Fix wrong xorm Delete usage(backport for 1.20) (#28003)
manually backport for https://github.com/go-gitea/gitea/pull/27995
The conflict is `ctx` and `db.Defaultctx`.

(cherry picked from commit c077a084d7)
2023-11-14 13:17:12 +01:00
Loïc Dachary
e58e7bf088
[GITEA] rework long-term authentication (squash) add migration
Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
2023-10-05 12:35:59 +02:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Lunny Xiao
4b23f11864
Fix bug of review request number (#27406)
Manually backport #27104 without tests because too many conflicted files
to backport it completely.

(cherry picked from commit 5c96a2be87)
2023-10-03 14:48:40 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot
5e2d16de0e
Add logs for data broken of comment review (#27326) (#27344)
Backport #27326 by @lunny

Fix #27306

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit b6b71c78c4)
2023-10-03 14:48:40 +02:00
KN4CK3R
13423d6eda
Quote table release in sql queries (#27205) (#27219)
Backport of #27205

Fixes #27174

`release` is a reserved keyword in MySql. I can't reproduce the issue on
my setup and we have a test for that code but it seems there can be
setups where it fails.

(cherry picked from commit eae6985b63)
2023-10-03 14:48:18 +02:00
Lunny Xiao
745b45406d
Fix context cache bug & enable context cache for dashabord commits' authors(#26991) (#27017)
backport #26991

Unfortunately, when a system setting hasn't been stored in the database,
it cannot be cached.
Meanwhile, this PR also uses context cache for push email avatar display
which should avoid to read user table via email address again and again.

According to my local test, this should reduce dashboard elapsed time
from 150ms -> 80ms .

(cherry picked from commit 9df573bddc)
2023-09-20 12:50:46 +02:00
Gusted
4b9a473e12
[GITEA] Use restricted sanitizer for repository description
- Backport of https://codeberg.org/forgejo/forgejo/pulls/1433
  - Currently the repository description uses the same sanitizer as a
normal markdown document. This means that element such as heading and
images are allowed and can be abused.
  - Create a minimal restricted sanitizer for the repository description,
which only allows what the postprocessor currently allows, which are
links and emojis.
  - Added unit testing.
  - Resolves https://codeberg.org/forgejo/forgejo/issues/1202
  - Resolves https://codeberg.org/Codeberg/Community/issues/1122

(cherry picked from commit a8afa4cd18)
2023-09-13 17:17:37 +02:00
Earl Warren
5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
Giteabot
4df75c254f
Fix wrong review requested number (#26784) (#26880)
Backport #26784 by @lng2020

Fix the wrong review requested number mentioned by #18808 .
Fix #18808
Before:

![ksnip_20230829-140750](https://github.com/go-gitea/gitea/assets/70063547/0af2055b-6f16-4699-a944-c7186831d7f9)
After:

![ksnip_20230829-141817](https://github.com/go-gitea/gitea/assets/70063547/16633264-20ba-45e3-bfbb-a495ed76a45b)

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 2a184796b5)
2023-09-08 08:09:18 +02:00
Giteabot
193e04c43b
Fix verifyCommits error when push a new branch (#26664) (#26810)
Backport #26664 by @CaiCandong

> ### Description
> If a new branch is pushed, and the repository has a rule that would
require signed commits for the new branch, the commit is rejected with a
500 error regardless of whether it's signed.
>
> When pushing a new branch, the "old" commit is the empty ID
(0000000000000000000000000000000000000000). verifyCommits has no
provision for this and passes an invalid commit range to git rev-list.
Prior to 1.19 this wasn't an issue because only pre-existing individual
branches could be protected.
>
> I was able to reproduce with
[try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test),
which is set up with a blanket rule to require commits on all branches.

Fix #25565
Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting
an valid solution!

Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 93c36f395c)
2023-09-08 08:09:18 +02:00
Giteabot
d5845521a8
check blocklist for emails when adding them to account (#26812) (#26831)
Backport #26812 by @techknowlogick

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
(cherry picked from commit 41bae29f84)
2023-09-08 08:09:18 +02:00
Giteabot
2f6d011503
Ignore the trailing slashes when comparing oauth2 redirect_uri (#26597) (#26618)
Backport #26597 by @wxiaoguang

Fix #26526

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 4aed0e6b07)
2023-09-08 08:07:19 +02:00
Gusted
fa25b9eec6
[GITEA] Add slow SQL query warning
- Backport of https://codeberg.org/forgejo/forgejo/pulls/1284
  - Databases are one of the most important parts of Forgejo, every
interaction with Forgejo uses the database in one way or another.
Therefore, it is important to maintain the database and recognize when
Forgejo is not doing well with the database. Forgejo already has the
option to log *every* SQL query along with its execution time, but
monitoring becomes impractical for larger instances and takes up
unnecessary storage in the logs.
  - Add a QoL enhancement that allows instance administrators to specify a
threshold value beyond which query execution time is logged as a warning
in the xorm logger. The default value is a conservative five seconds to
avoid this becoming a source of spam in the logs.
  - The use case for this patch is that with an instance the size of Codeberg, monitoring SQL logs is not very fruitful and most of them are uninteresting. Recently, in the context of persistent deadlock issues (https://codeberg.org/forgejo/forgejo/issues/220), I have noticed that certain queries hold locks on tables like comment and issue for several seconds. This patch helps to identify which queries these are and when they happen.
  - Added unit test.
2023-08-21 21:18:43 +02:00
CaiCandong
28acd6e262
Fix project filter bugs (#26490) (#26558)
Backport  #26490

related: #26012

1. missing project filter on the issue page.

1e76a824bc/modules/indexer/issues/dboptions.go (L11-L15)
2. incorrect SQL condition: some issue does not belong to a project but
exists on the project_issue table.

f5dbac9d36/models/issues/issue_search.go (L233)

![before](https://github.com/go-gitea/gitea/assets/50507092/1dcde39e-3e2f-4151-b2c6-4d67bf493c2f)

![after](https://github.com/go-gitea/gitea/assets/50507092/badfb81f-056d-4a2f-9838-1cba9c15768d)

(cherry picked from commit 94f86964b4)
2023-08-21 07:27:20 +02:00
KN4CK3R
471138829b
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613

Fixes #25564
Fixes #23191

- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions

(cherry picked from commit 762d4245fb)
2023-08-21 07:27:20 +02:00
Earl Warren
6ab5735e90
[UPGRADE] add sanity checks for [storage*]
Refs: https://forgejo.org/2023-08-release-v1-20-3-0/
(cherry picked from commit a266dd0ce3)
2023-08-21 07:22:19 +02:00
Earl Warren
fe55c78fb1
[UPGRADE] run sanity checks before the database is upgraded
(cherry picked from commit 69741e4e66)
2023-08-21 07:22:19 +02:00
Earl Warren
03f33a0320
[SEMVER] store SemVer in ForgejoSemVer after a database upgrade
(cherry picked from commit b7fe7cf401)
2023-08-21 07:22:18 +02:00
Earl Warren
2605e121d4
[DB] forgejo migration v2: create the forgejo_sem_ver table
(cherry picked from commit 86b26436af)

Conflicts:
	models/forgejo_migrations/migrate.go
	trivial context conflict
2023-08-21 07:22:18 +02:00
Giteabot
46ba658cc2
Bypass MariaDB performance bug of the "IN" sub-query, fix incorrect IssueIndex (#26279) (#26368)
Backport #26279 by @wxiaoguang

Close #26277
Fix #26285

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit cb1a4da5c2)
2023-08-21 07:22:17 +02:00
Earl Warren
d83135c204
Revert "[GITEA] Use join for the deleting issue actions query"
This reverts commit 9b71369be9.
2023-08-21 07:22:17 +02:00
Giteabot
2f6b7ce91a
Fix log typo in task.go (#26337) (#26343)
Backport #26337 by @cassiozareck

Signed-off-by: cassiozareck <cassiomilczareck@gmail.com>
(cherry picked from commit 8a97cdd91b)
2023-08-21 07:22:17 +02:00
Giteabot
33c52556a3
Fix bug with sqlite load read (#26305) (#26339)
Backport #26305 by @lunny

Possible fix #26280

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9be9042479)
2023-08-21 07:22:16 +02:00
Giteabot
9e4be39acb
Fix the topic validation rule and suport dots (#26286) (#26303)
Backport #26286 by @wxiaoguang

1. Allow leading and trailing spaces by user input, these spaces have
already been trimmed at backend
2. Allow using dots in the topic

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit fcd055c34a)
2023-08-21 07:22:16 +02:00
Giteabot
c2f2fed57a
Fix pull request check list is limited (#26179) (#26245)
Backport #26179 by @CaiCandong

In the original implementation, we can only get the first 30 records of
the commit status (the default paging size), if the commit status is
more than 30, it will lead to the bug #25990. I made the following two
changes.
- On the page, use the ` db.ListOptions{ListAll: true}` parameter
instead of `db.ListOptions{}`
- The `GetLatestCommitStatus` function makes a determination as to
whether or not a pager is being used.

fixed #25990

Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
(cherry picked from commit 060026995a)
2023-08-21 07:22:15 +02:00
JakobDev
d89003cc1b Fix API leaking Usermail if not logged in (#25097)
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit ea385f5d39)
2023-08-05 11:43:54 +00:00
Gusted
9b71369be9 [GITEA] Use join for the deleting issue actions query
- The action tables can become very large as it's a dumpster for every
action that an user does on an repository.
- The following query: `DELETE FROM action WHERE comment_id IN (SELECT id FROM comment WHERE
issue_id=?)` is not using indexes for `comment_id` and is instead using
an full table scan by MariaDB.
- Rewriting the query to use an JOIN will allow MariaDB to use the
index.
- More information: https://codeberg.org/Codeberg-Infrastructure/techstack-support/issues/9
- Backport https://codeberg.org/forgejo/forgejo/pulls/1154
2023-07-31 10:14:30 +00:00
Giteabot
5afb0294f4
Fix access check for org-level project (#26182) (#26223)
Backport #26182 by @Zettat123

Fix #25934

Add `ignoreGlobal` parameter to `reqUnitAccess` and only check global
disabled units when `ignoreGlobal` is true. So the org-level projects
and user-level projects won't be affected by global disabled
`repo.projects` unit.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 3a29712e0a)
2023-07-30 07:46:19 +02:00
Giteabot
751028549d
Prevent primary key update on migration (#26192) (#26199)
Backport #26192 by @KN4CK3R

Fixes #25918

The migration fails on MSSQL because xorm tries to update the primary
key column. xorm prevents this if the column is marked as auto
increment:

c622cdaf89/internal/statements/update.go (L38-L40)

I think it would be better if xorm would check for primary key columns
here because updating such columns is bad practice. It looks like if
that auto increment check should do the same.

fyi @lunny

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit ecfbcced46)
2023-07-30 07:46:18 +02:00
Lunny Xiao
4640c53386
Fix bug when pushing to a pull request which enabled dismiss approval automatically (#25882) (#26158)
Fix #25858
Backport #25882

The option `dissmiss stale approvals` was listed on protected branch but
never implemented. This PR fixes that.

<img width="1006" alt="图片"

src="https://github.com/go-gitea/gitea/assets/81045/60bfa968-4db7-4c24-b8be-2e5978f91bb9">

<img width="1021" alt="图片"

src="https://github.com/go-gitea/gitea/assets/81045/8dabc14d-2dfe-40c2-94ed-24fcbf6e0e8f">

(cherry picked from commit 666038a06d)
2023-07-30 07:46:18 +02:00
Giteabot
9654d71bb2
Fix bugs in LFS meta garbage collection (#26122) (#26157)
Backport #26122 by @Zettat123

This PR

- Fix #26093. Replace `time.Time` with `timeutil.TimeStamp`
- Fix #26135. Add missing `xorm:"extends"` to `CountLFSMetaObject` for
LFS meta object query
- Add a unit test for LFS meta object garbage collection

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit a12d036a68)
2023-07-30 07:43:05 +02:00
Giteabot
df5200e814
Remove "misc" scope check from public API endpoints (#26134) (#26149)
Backport #26134 by @wxiaoguang

Fix #26035

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a8445e9320)
2023-07-26 13:51:46 +02:00
Lunny Xiao
7099ef15b6
Update xorm version (#26128) (#26150)
backport #26128 to fix some serious bug.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit bc73e6a85c)
2023-07-26 13:50:10 +02:00
Giteabot
e2101ae572
Fix wrong workflow status when rerun a job in an already finished workflow (#26119) (#26124)
Backport #26119 by @yp05327

Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/fb687592-b117-4cd5-b076-2ca5ca847ea4)
After:

![image](https://github.com/go-gitea/gitea/assets/18380374/c9b0683e-e81d-410b-8c35-fbe54327fab4)

After workflow finished, if you rerun a single job, the workflow status
will become to `Running` which is not correct as no jobs are running in
this workflow.

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 08cdc0da3d)
2023-07-26 13:49:15 +02:00
Earl Warren
b65d458c3a
Merge remote-tracking branch 'forgejo/v1.20/forgejo-dependency' into v1.20/forgejo 2023-07-17 08:01:29 +02:00
Earl Warren
1371196064
Merge remote-tracking branch 'forgejo/v1.20/forgejo-moderation' into v1.20/forgejo 2023-07-17 08:01:23 +02:00
Earl Warren
8924d15dec
[GITEA] silently ignore obsolete sudo scope
Fixes: https://codeberg.org/forgejo/forgejo/issues/820
(cherry picked from commit 6a7022ebbb)
(cherry picked from commit 764eac47b5)
(cherry picked from commit 14480339f0)
(cherry picked from commit fb930bd719)
(cherry picked from commit 97d1166aba)
(cherry picked from commit 97b2abc767)
(cherry picked from commit 3854c9112f)
2023-07-17 00:27:19 +02:00
Gusted
73776d6195
[MODERATION] add user blocking API
- Follow up for: #540, #802
- Add API routes for user blocking from user and organization
perspective.
- The new routes have integration testing.
- The new model functions have unit tests.
- Actually quite boring to write and to read this pull request.

(cherry picked from commit f3afaf15c7)
(cherry picked from commit 6d754db3e5)
(cherry picked from commit d0fc8bc9d3)
(cherry picked from commit 9a53b0d1a0)
(cherry picked from commit 44a2a4fd48)
(cherry picked from commit 182025db9c)
(cherry picked from commit 558a35963e)
2023-07-17 00:26:42 +02:00
Gusted
cdf6318f51
[MODERATION] organization blocking a user (#802)
- Resolves #476
- Follow up for: #540
- Ensure that the doer and blocked person cannot follow each other.
- Ensure that the block person cannot watch doer's repositories.
- Add unblock button to the blocked user list.
- Add blocked since information to the blocked user list.
- Add extra testing to moderation code.
- Blocked user will unwatch doer's owned repository upon blocking.
- Add flash messages to let the user know the block/unblock action was successful.
- Add "You haven't blocked any users" message.
- Add organization blocking a user.

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/802
(cherry picked from commit 0505a10421)
(cherry picked from commit 37b4e6ef9b)
(cherry picked from commit 217475385a)
(cherry picked from commit f2c38ce5c2)
(cherry picked from commit 1edfb68137)
(cherry picked from commit 2cbc12dc74)
(cherry picked from commit 79ff020f18)
2023-07-17 00:26:42 +02:00
Gusted
dc9499bdf9
[MODERATION] user blocking
- Add the ability to block a user via their profile page.
- This will unstar their repositories and visa versa.
- Blocked users cannot create issues or pull requests on your the doer's repositories (mind that this is not the case for organizations).
- Blocked users cannot comment on the doer's opened issues or pull requests.
- Blocked users cannot add reactions to doer's comments.
- Blocked users cannot cause a notification trough mentioning the doer.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/540
(cherry picked from commit 687d852480)
(cherry picked from commit 0c32a4fde5)
(cherry picked from commit 1791130e3c)
(cherry picked from commit 00f411819f)
(cherry picked from commit e0c039b0e8)
(cherry picked from commit b5a058ef00)
(cherry picked from commit 5ff5460d28)
(cherry picked from commit 97bc6e619d)
2023-07-17 00:26:42 +02:00