Commit graph

4075 commits

Author SHA1 Message Date
Loïc Dachary
4927e73551
Revert "fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin"
This reverts commit e9aa373db5.
2023-11-26 06:34:37 +01:00
Loïc Dachary
e9aa373db5
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7)
2023-11-25 08:08:37 +01:00
Loïc Dachary
5322136af8
fix GET /api/v1/repos/{owner}/{repo}/keys/{id}
(cherry picked from commit 768238d9f9982e99ad4cbf3942d2d2db5126a150)

Conflicts:
	routers/api/v1/repo/key.go
	trivial context conflict
2023-11-25 08:08:37 +01:00
Loïc Dachary
a2b1082dda
fix POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit a6d2ad6310f754952998fd73118da9f91c563145)
2023-11-25 08:08:37 +01:00
Loïc Dachary
5ef4992fd7
fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail
(cherry picked from commit 0853dec293dd632a03948f66af69e75dd582a92d)
2023-11-25 08:08:36 +01:00
Loïc Dachary
75730a6ded
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead)
2023-11-25 08:08:36 +01:00
Loïc Dachary
48bcb1937e
fix GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit aed193ef9f5d59aed12cfd7518765d5598c7999f)
2023-11-25 07:23:34 +01:00
Loïc Dachary
6f87e71f0c
fix POST /{owner}/{repo}/comments/{id}/reactions/{action}
(cherry picked from commit 21d4556cbeb9d0f825398114ba3a4816f331315b)
2023-11-25 07:23:34 +01:00
Loïc Dachary
5cc6361e31
fix POST /{owner}/{repo}/comments/{id}
(cherry picked from commit 385a1f337462bec34ccc389d4efe21e3b2be8465)
2023-11-25 07:23:34 +01:00
Loïc Dachary
44f2592028
fix POST /{owner}/{repo}/comments/{id}/delete
(cherry picked from commit 1b57d8493882d9d659164acd3b4a5a99c769d8ed)
2023-11-25 07:23:34 +01:00
Loïc Dachary
0b0b506b74
fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 521eed2312f45bef7de28c9c03c04257862a453c)
2023-11-25 07:23:34 +01:00
Loïc Dachary
585f74c2ca
fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit a146e3d0f9ff8ac1aee4be8a3632c76b35fc3482)
2023-11-25 07:23:33 +01:00
Loïc Dachary
685ebdba63
fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit f499075c53752f983c6e4f8af17c449926ba94d9)
2023-11-25 07:23:33 +01:00
Loïc Dachary
e291ea5e33
fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 51c280e877765efe721e607aa95bcbb5aef364e0)
2023-11-25 07:23:33 +01:00
Loïc Dachary
3ddfca10ac
fix API usage of a PR index in place of issue index and vice versa
(cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344)
2023-11-25 07:23:32 +01:00
Loïc Dachary
6b4cb070cc
enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues
(cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015)
2023-11-25 07:23:32 +01:00
Loïc Dachary
c70eb32280
enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned
(cherry picked from commit 00fad97fc1b27db40a002c9ab3f709d04dc2cdd1)
2023-11-25 07:23:32 +01:00
Loïc Dachary
5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70)
(cherry picked from commit 13e10a65d9)
(cherry picked from commit 65bdd73cf2)
(cherry picked from commit 64eba8bb92)
(cherry picked from commit 4c49b1a759)
(cherry picked from commit 93b4d06406)
(cherry picked from commit e2bc5f36d9)
(cherry picked from commit 2bee76f9df)
(cherry picked from commit 3d8a1b4a9f)
(cherry picked from commit 99dd092cd0)
(cherry picked from commit 0fdbd02204)
(cherry picked from commit 70b277a183)
(cherry picked from commit 3eece7fbb4)
(cherry picked from commit 4838fc9e11)
(cherry picked from commit b76ed541cf)
(cherry picked from commit dcdfb5b65c)
(cherry picked from commit 377dc48cdc)
(cherry picked from commit acc862f411)
(cherry picked from commit ac75ef101f)
(cherry picked from commit 08f2d9f7c5)
(cherry picked from commit e4096f0b64)
(cherry picked from commit bf5876f062)
(cherry picked from commit 7dc60637e5)
(cherry picked from commit ef3101774b)
(cherry picked from commit ecb9e8867c)
(cherry picked from commit 64f0ae72fe)
(cherry picked from commit 8dd6ec7862)
(cherry picked from commit b36723e52b)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8)
(cherry picked from commit 1d87602819)
(cherry picked from commit 0f72002d66)
(cherry picked from commit da2556eb13)
(cherry picked from commit c01688cd90)
(cherry picked from commit af4bba8329)
(cherry picked from commit 33ca322c2e)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44)
(cherry picked from commit 27c4797c9f)
2023-11-14 13:17:12 +01:00
Giteabot
d7408d8b0b
Dont leak private users via extensions (#28023) (#28028)
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

(cherry picked from commit 69ea554e23)
2023-11-14 13:17:12 +01:00
KN4CK3R
44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Lunny Xiao
f2c3491b61
Fix http protocol auth (#27875) (#27878)
backport #27875

(cherry picked from commit 1dedf9bba0)
2023-11-14 13:17:12 +01:00
Giteabot
64373004b5
Fix org team endpoint (#27721) (#27729)
Backport #27721 by @lng2020

Fix #27711

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 71803d33e3)
2023-11-14 13:17:11 +01:00
Giteabot
62c33f92a9
Fix 404 when deleting Docker package with an internal version (#27615) (#27629)
Backport #27615 by @lng2020

close #27601
The Docker registry has an internal version, which leads to 404

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 171950a0d4)
2023-11-14 13:17:11 +01:00
Giteabot
e0fe8a8ab4
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
(cherry picked from commit 4ffa683820)
2023-11-14 13:17:11 +01:00
Giteabot
c50af699ea
When comparing with an non-exist repository, return 404 but 500 (#27437) (#27441)
Backport #27437 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 973b7f6298)
2023-11-14 13:17:11 +01:00
Earl Warren
a1e6944bd7
Revert "[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP"
This reverts commit 9413fd0274.
2023-11-14 13:17:11 +01:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot
f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112)
2023-10-03 14:48:08 +02:00
Giteabot
c041114a20
fix pagination for followers and following (#27127) (#27138)
Backport #27127 by @earl-warren

- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1477

(cherry picked from commit c1a136318b)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58)
2023-09-20 12:50:46 +02:00
Giteabot
64a418dfc7
Fix issue templates when blank isses are disabled (#27061) (#27082)
Backport #27061 by @JakobDev

Fixes #27060

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit b139234fa8)
2023-09-20 12:50:46 +02:00
Giteabot
1689b3da55
Redirect from {repo}/issues/new to {repo}/issues/new/choose when blank issues are disabled (#26813) (#26847)
Backport #26813 by @JakobDev

You can currently visit `{repo}/issues/new` and create a blank issue,
even if it's disabled. This PR fixes this,

Fixes https://codeberg.org/forgejo/forgejo/issues/1356

Co-authored-by: JakobDev <jakobdev@gmx.de>
(cherry picked from commit 2cfabb68ff)
2023-09-08 08:09:18 +02:00
Giteabot
193e04c43b
Fix verifyCommits error when push a new branch (#26664) (#26810)
Backport #26664 by @CaiCandong

> ### Description
> If a new branch is pushed, and the repository has a rule that would
require signed commits for the new branch, the commit is rejected with a
500 error regardless of whether it's signed.
>
> When pushing a new branch, the "old" commit is the empty ID
(0000000000000000000000000000000000000000). verifyCommits has no
provision for this and passes an invalid commit range to git rev-list.
Prior to 1.19 this wasn't an issue because only pre-existing individual
branches could be protected.
>
> I was able to reproduce with
[try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test),
which is set up with a blanket rule to require commits on all branches.

Fix #25565
Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting
an valid solution!

Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 93c36f395c)
2023-09-08 08:09:18 +02:00
yp05327
a6c2201dd4
Fix context filter has no effect in dashboard (#26695) (#26811)
Backport #26695

(cherry picked from commit c72f6067b3)
2023-09-08 08:09:18 +02:00
js6pak
833cf722ab
Include the GITHUB_TOKEN/GITEA_TOKEN secret for fork pull requests (#26759) (#26806)
Backport #26759

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 54cc459ea8)
2023-09-08 08:09:18 +02:00
Giteabot
4d2b4008d3
Fix some slice append usages (#26778) (#26798)
Backport #26778 by @harryzcy

Co-authored-by: Chongyi Zheng <git@zcy.dev>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 4013f3f600)
2023-09-08 08:09:18 +02:00
Giteabot
1d228e6ee9
Fix being unable to use a repo that prohibits accepting PRs as a PR source. (#26785) (#26790)
Backport #26785 by @CaiCandong

## Description
Sometimes, we need to use an upstream mirror repository to update the
current development repository, but mirror repositories are prohibited
from PR. It should not appear in `merge to,` but it can appear in `pull
from.`
Fix #24585 #26193 #26781
Related #24183

Many thanks to @apnote  for assisting me in reproducing this bug!

## ScreenShot
---
### Before

<img
src="https://github.com/go-gitea/gitea/assets/50507092/3d76c376-1f54-45b9-80c9-6ba8319d6a9a"
width="400px">

<img
src="https://github.com/go-gitea/gitea/assets/50507092/fbfd9f7f-421f-4a2e-9a3e-f2958bbf3312"
width="400px">

### After

<img
src="https://github.com/go-gitea/gitea/assets/50507092/e6984524-4f61-4310-b795-4d8598bd8963"
width="400px">

<img
src="https://github.com/go-gitea/gitea/assets/50507092/04065b44-78d7-4721-bf31-0f1674150727"
width="400px">

Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com>
(cherry picked from commit 3bab20491e)
2023-09-08 08:09:18 +02:00
Giteabot
ef46b01168
Fix unable to display individual-level project (#26198) (#26636)
Backport #26198 by @CaiCandong

As title

Before:

![image](https://github.com/go-gitea/gitea/assets/50507092/94afc3bf-5597-4151-a59b-5632840ffa21)

After:

![image](https://github.com/go-gitea/gitea/assets/50507092/df81aa0b-98a6-477d-a270-2e45b3dca0fc)

fix #26189

Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
(cherry picked from commit 352a495c02)
2023-09-08 08:07:19 +02:00
a1012112796
5abca17b64
fix reopen logic for agit flow pull request (#26399) (#26613)
Backport #26399

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit f43df2f820)
2023-09-08 08:07:19 +02:00
Giteabot
563fc65e35
Fix "issueReposQueryPattern does not match query" (#26556) (#26564)
Backport #26556 by @wolfogre

Fix
`https://github.com/go-gitea/gitea/pull/26545#discussion_r1295734340`

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 1cedf36d30)
2023-08-21 07:27:20 +02:00
Giteabot
4ac522c8aa
Sync repo's IsEmpty status correctly (#26517) (#26560)
Backport #26517 by @wxiaoguang

Close #26509

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 7da85fa0c3)
2023-08-21 07:27:20 +02:00
Giteabot
44658b7d2c
Fix typo of RunerOwnerID (#26508) (#26528)
Backport #26508 by @yp05327

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 0ac8b774e9)
2023-08-21 07:27:20 +02:00
KN4CK3R
471138829b
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613

Fixes #25564
Fixes #23191

- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions

(cherry picked from commit 762d4245fb)
2023-08-21 07:27:20 +02:00
Giteabot
d297a87f75
Add ThreadID parameter for Telegram webhooks (#25996) (#26480)
Backport #25996

Telegram has recently implemented threads (channels) for group chats.

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: neveraskedtoexist <matikot415@gmail.com>
(cherry picked from commit acc0fd22d8)
2023-08-21 07:22:19 +02:00
Giteabot
c029b1a3bc
Fix wrong middleware sequence (#26428) (#26436)
Backport #26428 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit ec37ea5945)
2023-08-21 07:22:18 +02:00
wxiaoguang
e64aa0d9c2
Fix admin queue page title and fix CI failures (#26409) (#26421)
Backport #26409

* Fix #26408
* Bypass the data race issue in "ssh" package

(cherry picked from commit 8ad331c9d2)
2023-08-21 07:22:18 +02:00
Giteabot
8265bece8e
Introduce ctx.PathParamRaw to avoid incorrect unescaping (#26392) (#26405)
Backport #26392 by @wxiaoguang

Fix #26389

And complete an old TODO: `ctx.Params does un-escaping,..., which is
incorrect.`

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 2d1a7e1cd4)
2023-08-21 07:22:18 +02:00
Earl Warren
20557c6bdb
[BRANDING] define the forgejo webhook type
templates/swagger/v1_json.tmpl updated with `make generate-swagger`

(cherry picked from commit 88899c492e)
(cherry picked from commit 7171bd9617)
(cherry picked from commit 1a742446c1)
(cherry picked from commit d7c189d7b2)

Conflicts:
	routers/web/web.go
(cherry picked from commit cbdea868e4)
(cherry picked from commit 6cd150483b)
(cherry picked from commit 47246da8d3)
(cherry picked from commit f2aa0e6b76)
(cherry picked from commit 5a4fc69a16)
(cherry picked from commit 48e444ca09)
(cherry picked from commit 888e537811)
(cherry picked from commit 5121f493c9)
(cherry picked from commit 9394e55fdf)
(cherry picked from commit 3a2ce51768)
(cherry picked from commit 719ead3a65)
(cherry picked from commit 83e6f82e2a)
(cherry picked from commit 494a429b21)
(cherry picked from commit 4d775db6b4)
(cherry picked from commit b68f777dc2)
(cherry picked from commit 5b934023fa)
(cherry picked from commit 3b1ed8b16c)
(cherry picked from commit 6bc4a46c9f)
(cherry picked from commit 8064bb24a3)

Conflicts:
	templates/admin/hook_new.tmpl
	templates/org/settings/hook_new.tmpl
	templates/repo/settings/webhook/base_list.tmpl
	templates/repo/settings/webhook/new.tmpl
	templates/user/settings/hook_new.tmpl
	https://codeberg.org/forgejo/forgejo/pulls/1181

(cherry picked from commit 55f5588a91)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/1219
2023-08-21 07:22:16 +02:00
Earl Warren
c862cc15c8
Revert "[BRANDING] define the forgejo webhook type"
This reverts commit 02ba08ca84.
2023-08-21 07:22:16 +02:00
Giteabot
c2f2fed57a
Fix pull request check list is limited (#26179) (#26245)
Backport #26179 by @CaiCandong

In the original implementation, we can only get the first 30 records of
the commit status (the default paging size), if the commit status is
more than 30, it will lead to the bug #25990. I made the following two
changes.
- On the page, use the ` db.ListOptions{ListAll: true}` parameter
instead of `db.ListOptions{}`
- The `GetLatestCommitStatus` function makes a determination as to
whether or not a pager is being used.

fixed #25990

Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
(cherry picked from commit 060026995a)
2023-08-21 07:22:15 +02:00