Lunny Xiao
7aa1e1a54d
Do some missing checks ( #28423 )
...
(cherry picked from commit 717d0f5934
)
Conflicts:
routers/api/v1/api.go
trivial contextual conflict
2023-12-12 22:25:17 +01:00
Loïc Dachary
92450913a8
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
...
(cherry picked from commit d97efb777f
)
2023-11-26 06:50:26 +01:00
Loïc Dachary
9ea9ba8e7e
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
...
(cherry picked from commit a82cb96480
)
2023-11-26 06:48:49 +01:00
Lunny Xiao
db0d71ec0f
Fix comment permissions ( #28213 ) ( #28217 )
...
backport #28213
This PR will fix some missed checks for private repositories' data on
web routes and API routes.
(cherry picked from commit dfd511faf3
)
2023-11-26 06:35:50 +01:00
Loïc Dachary
a7a9876dd4
Revert "enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned"
...
This reverts commit c70eb32280
.
2023-11-26 06:34:40 +01:00
Loïc Dachary
140dbb3918
Revert "enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues"
...
This reverts commit 6b4cb070cc
.
2023-11-26 06:34:40 +01:00
Loïc Dachary
d2de912c95
Revert "fix API usage of a PR index in place of issue index and vice versa"
...
This reverts commit 3ddfca10ac
.
2023-11-26 06:34:40 +01:00
Loïc Dachary
4ece6a4b19
Revert "fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
...
This reverts commit e291ea5e33
.
2023-11-26 06:34:39 +01:00
Loïc Dachary
ba352ef4b1
Revert "fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
...
This reverts commit 685ebdba63
.
2023-11-26 06:34:39 +01:00
Loïc Dachary
3869f80b52
Revert "fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
...
This reverts commit 585f74c2ca
.
2023-11-26 06:34:39 +01:00
Loïc Dachary
fc3825f6b2
Revert "fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
...
This reverts commit 0b0b506b74
.
2023-11-26 06:34:38 +01:00
Loïc Dachary
c21cc34116
Revert "fix POST /{owner}/{repo}/comments/{id}/delete"
...
This reverts commit 44f2592028
.
2023-11-26 06:34:38 +01:00
Loïc Dachary
db1bd78d71
Revert "fix POST /{owner}/{repo}/comments/{id}"
...
This reverts commit 5cc6361e31
.
2023-11-26 06:34:38 +01:00
Loïc Dachary
5fc5d186e0
Revert "fix POST /{owner}/{repo}/comments/{id}/reactions/{action}"
...
This reverts commit 6f87e71f0c
.
2023-11-26 06:34:38 +01:00
Loïc Dachary
710eee48a1
Revert "fix GET /{owner}/{repo}/comments/{id}/attachments"
...
This reverts commit 48bcb1937e
.
2023-11-26 06:34:38 +01:00
Loïc Dachary
e587faae57
Revert "fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete"
...
This reverts commit 75730a6ded
.
2023-11-26 06:34:37 +01:00
Loïc Dachary
d7f5ff0782
Revert "fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail"
...
This reverts commit 5ef4992fd7
.
2023-11-26 06:34:37 +01:00
Loïc Dachary
53115c7c17
Revert "fix POST /{username}/{reponame}/{tags,release}/delete"
...
This reverts commit a2b1082dda
.
2023-11-26 06:34:37 +01:00
Loïc Dachary
8a9676f881
Revert "fix GET /api/v1/repos/{owner}/{repo}/keys/{id}"
...
This reverts commit 5322136af8
.
2023-11-26 06:34:37 +01:00
Loïc Dachary
4927e73551
Revert "fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin"
...
This reverts commit e9aa373db5
.
2023-11-26 06:34:37 +01:00
Loïc Dachary
e9aa373db5
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
...
(cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7)
2023-11-25 08:08:37 +01:00
Loïc Dachary
5322136af8
fix GET /api/v1/repos/{owner}/{repo}/keys/{id}
...
(cherry picked from commit 768238d9f9982e99ad4cbf3942d2d2db5126a150)
Conflicts:
routers/api/v1/repo/key.go
trivial context conflict
2023-11-25 08:08:37 +01:00
Loïc Dachary
a2b1082dda
fix POST /{username}/{reponame}/{tags,release}/delete
...
(cherry picked from commit a6d2ad6310f754952998fd73118da9f91c563145)
2023-11-25 08:08:37 +01:00
Loïc Dachary
5ef4992fd7
fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail
...
(cherry picked from commit 0853dec293dd632a03948f66af69e75dd582a92d)
2023-11-25 08:08:36 +01:00
Loïc Dachary
75730a6ded
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
...
(cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead)
2023-11-25 08:08:36 +01:00
Loïc Dachary
48bcb1937e
fix GET /{owner}/{repo}/comments/{id}/attachments
...
(cherry picked from commit aed193ef9f5d59aed12cfd7518765d5598c7999f)
2023-11-25 07:23:34 +01:00
Loïc Dachary
6f87e71f0c
fix POST /{owner}/{repo}/comments/{id}/reactions/{action}
...
(cherry picked from commit 21d4556cbeb9d0f825398114ba3a4816f331315b)
2023-11-25 07:23:34 +01:00
Loïc Dachary
5cc6361e31
fix POST /{owner}/{repo}/comments/{id}
...
(cherry picked from commit 385a1f337462bec34ccc389d4efe21e3b2be8465)
2023-11-25 07:23:34 +01:00
Loïc Dachary
44f2592028
fix POST /{owner}/{repo}/comments/{id}/delete
...
(cherry picked from commit 1b57d8493882d9d659164acd3b4a5a99c769d8ed)
2023-11-25 07:23:34 +01:00
Loïc Dachary
0b0b506b74
fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
...
(cherry picked from commit 521eed2312f45bef7de28c9c03c04257862a453c)
2023-11-25 07:23:34 +01:00
Loïc Dachary
585f74c2ca
fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions
...
(cherry picked from commit a146e3d0f9ff8ac1aee4be8a3632c76b35fc3482)
2023-11-25 07:23:33 +01:00
Loïc Dachary
685ebdba63
fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions
...
(cherry picked from commit f499075c53752f983c6e4f8af17c449926ba94d9)
2023-11-25 07:23:33 +01:00
Loïc Dachary
e291ea5e33
fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
...
(cherry picked from commit 51c280e877765efe721e607aa95bcbb5aef364e0)
2023-11-25 07:23:33 +01:00
Loïc Dachary
3ddfca10ac
fix API usage of a PR index in place of issue index and vice versa
...
(cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344)
2023-11-25 07:23:32 +01:00
Loïc Dachary
6b4cb070cc
enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues
...
(cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015)
2023-11-25 07:23:32 +01:00
Loïc Dachary
c70eb32280
enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned
...
(cherry picked from commit 00fad97fc1b27db40a002c9ab3f709d04dc2cdd1)
2023-11-25 07:23:32 +01:00
Loïc Dachary
5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
...
(cherry picked from commit 7b0549cd70
)
(cherry picked from commit 13e10a65d9
)
(cherry picked from commit 65bdd73cf2
)
(cherry picked from commit 64eba8bb92
)
(cherry picked from commit 4c49b1a759
)
(cherry picked from commit 93b4d06406
)
(cherry picked from commit e2bc5f36d9
)
(cherry picked from commit 2bee76f9df
)
(cherry picked from commit 3d8a1b4a9f
)
(cherry picked from commit 99dd092cd0
)
(cherry picked from commit 0fdbd02204
)
(cherry picked from commit 70b277a183
)
(cherry picked from commit 3eece7fbb4
)
(cherry picked from commit 4838fc9e11
)
(cherry picked from commit b76ed541cf
)
(cherry picked from commit dcdfb5b65c
)
(cherry picked from commit 377dc48cdc
)
(cherry picked from commit acc862f411
)
(cherry picked from commit ac75ef101f
)
(cherry picked from commit 08f2d9f7c5
)
(cherry picked from commit e4096f0b64
)
(cherry picked from commit bf5876f062
)
(cherry picked from commit 7dc60637e5
)
(cherry picked from commit ef3101774b
)
(cherry picked from commit ecb9e8867c
)
(cherry picked from commit 64f0ae72fe
)
(cherry picked from commit 8dd6ec7862
)
(cherry picked from commit b36723e52b
)
Conflicts:
modules/context/api.go
https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8
)
(cherry picked from commit 1d87602819
)
(cherry picked from commit 0f72002d66
)
(cherry picked from commit da2556eb13
)
(cherry picked from commit c01688cd90
)
(cherry picked from commit af4bba8329
)
(cherry picked from commit 33ca322c2e
)
Conflicts:
modules/context/api.go
https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44
)
(cherry picked from commit 27c4797c9f
)
2023-11-14 13:17:12 +01:00
Giteabot
d7408d8b0b
Dont leak private users via extensions ( #28023 ) ( #28028 )
...
Backport #28023 by @6543
there was no check in place if a user could see a other user, if you
append e.g. `.rss`
(cherry picked from commit 69ea554e23
)
2023-11-14 13:17:12 +01:00
KN4CK3R
44df78edd4
Unify two factor check ( #27915 ) ( #27939 )
...
Backport of #27915
Fixes #27819
We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
(cherry picked from commit 00705da102
)
2023-11-14 13:17:12 +01:00
Lunny Xiao
f2c3491b61
Fix http protocol auth ( #27875 ) ( #27878 )
...
backport #27875
(cherry picked from commit 1dedf9bba0
)
2023-11-14 13:17:12 +01:00
Giteabot
64373004b5
Fix org team endpoint ( #27721 ) ( #27729 )
...
Backport #27721 by @lng2020
Fix #27711
Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 71803d33e3
)
2023-11-14 13:17:11 +01:00
Giteabot
62c33f92a9
Fix 404 when deleting Docker package with an internal version ( #27615 ) ( #27629 )
...
Backport #27615 by @lng2020
close #27601
The Docker registry has an internal version, which leads to 404
Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 171950a0d4
)
2023-11-14 13:17:11 +01:00
Giteabot
e0fe8a8ab4
Fix panic in storageHandler ( #27446 ) ( #27478 )
...
Backport #27446 by @sryze
storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).
Example CURL command to trigger the panic:
```
curl -I "http://yourhost/gitea//avatars/a "
```
Fixes #27409
---
Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.
Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)
Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
(cherry picked from commit 4ffa683820
)
2023-11-14 13:17:11 +01:00
Giteabot
c50af699ea
When comparing with an non-exist repository, return 404 but 500 ( #27437 ) ( #27441 )
...
Backport #27437 by @lunny
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 973b7f6298
)
2023-11-14 13:17:11 +01:00
Earl Warren
a1e6944bd7
Revert "[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP"
...
This reverts commit 9413fd0274
.
2023-11-14 13:17:11 +01:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
...
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies ).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.
(cherry-pick from eff097448b
)
Conflicts:
modules/context/context_cookie.go
trivial context conflicts
routers/web/web.go
ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format ( #26430 ) ( #27378 )
...
Backport #26430 by @lunny
Fix #26165
Fix #25257
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b
)
2023-10-03 14:48:40 +02:00
Giteabot
f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams ( #27150 ) ( #27162 )
...
Backport #27150 by @memphis88
Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694 ,
this addresses the team creation not returning the organization
information in the response.
This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27 )
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam )
suggests that the response body should include the `organization` field
(currently being `null`).
Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112
)
2023-10-03 14:48:08 +02:00
Giteabot
c041114a20
fix pagination for followers and following ( #27127 ) ( #27138 )
...
Backport #27127 by @earl-warren
- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.
Refs: https://codeberg.org/forgejo/forgejo/pulls/1477
(cherry picked from commit c1a136318b
)
Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58
)
2023-09-20 12:50:46 +02:00
Giteabot
64a418dfc7
Fix issue templates when blank isses are disabled ( #27061 ) ( #27082 )
...
Backport #27061 by @JakobDev
Fixes #27060
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit b139234fa8
)
2023-09-20 12:50:46 +02:00