Commit graph

19015 commits

Author SHA1 Message Date
Renovate Bot
56831d345d Update ghcr.io/visualon/renovate Docker tag to v37.316.2 2024-04-22 12:03:00 +00:00
Earl Warren
27f8f955bf Merge pull request 's/Gitea/Forgejo in various log messages and comments' (#3353) from 0ko/forgejo:forgejo-forgejo-forgejo-forgejo-forgejo-forgejo-forgejo-forgejo-forgejo-forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3353
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-22 07:54:30 +00:00
Earl Warren
f4716de5b6 Merge pull request '[PORT] gitea#30546: Add form field id generation, remove duplicated ids' (#3361) from algernon/forgejo:gitea/port/30546 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3361
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-22 07:43:25 +00:00
silverwind
a01387f5b1
Add form field id generation, remove duplicated ids (#30546)
Fixes: https://github.com/go-gitea/gitea/issues/30384

On repo settings page, there id `repo_name` was used 5 times on the same
page, some in modal and such. I think we are better off just
auto-generating these IDs in the future so that labels link up with
their form element.

Ideally this id generation would be done in backend in a subtemplate,
but seeing that we already have similar JS patches for checkboxes, I
took the easy path for now.

I also checked that these `#repo_name` were not in use in JS and the
only case where this id appears in JS is on the migration page where
it's still there.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit d4ec6b3d16496ce3b479d5a08f79823122dc2b7b)

Conflicts:
	- templates/repo/settings/options.tmpl
	  Conflict resolved by manually removing all `id` and `for`
	  attributes from elements that had `repo_name` as their id.
2024-04-22 08:09:00 +02:00
0ko
438efc9ca2 Merge pull request '[UI] Fix and refactor for milestone headers' (#3340) from 0ko/forgejo:mileston-inconsist into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3340
Reviewed-by: Otto <otto@codeberg.org>
2024-04-21 16:39:38 +00:00
0ko
469c214ec8 s/Gitea/Forgejo in various log messages and comments 2024-04-21 21:26:15 +05:00
Gergely Nagy
81f9c1e7d1
[DEADCODE] update
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-21 16:40:43 +02:00
KN4CK3R
27f459b63b
Fix package list performance (#30520)
Fixes #28255

The new query uses the id field to sort by "newer". This most not be
correct (usually it is) but it's faster (see #28255).
If someone has a better idea, please propose changes.

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit b06aac40e6552b0ce1f7b8a92c977fcc27566f68)
2024-04-21 16:28:16 +02:00
yp05327
829c3c6838
Use action user as the trigger user of schedules (#30581)
Follow https://github.com/go-gitea/gitea/pull/30357

When user push to default branch, the schedule trigger user will be the
user.
When disable then enable action units in settings, the schedule trigger
user will be action user.
When repo is a mirror, the schedule trigger user will be action user. (
before it will return error, fixed by #30357)

As scheduled job is a cron, the trigger user should be action user from
Gitea, not a real user.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit cb6814adad4dc81a683b50826a211ce7bce731d7)

Conflicts:
	- services/actions/notifier_helper.go
	  Conflict resolved by keeping Forgejo's version of the line.
2024-04-21 16:28:16 +02:00
wxiaoguang
27434acef6
Fix commit file status parser (#30602)
Try to fix  #30492

(cherry picked from commit 53cf46cae7475befa2dde554bbd9147e436072b9)
2024-04-21 16:28:16 +02:00
wxiaoguang
3330b4d5d8
Fix HEAD method for robots.txt (#30603)
Fix #30601

(cherry picked from commit f60e1a1af25154160f08b85eb159c930b340df8b)
2024-04-21 16:28:16 +02:00
wxiaoguang
abeea42751
Fix project description rendering for org (#30587)
Fix #30263

![image](https://github.com/go-gitea/gitea/assets/2114189/41cabe6c-f94a-4874-a26f-d01bb89bb28c)

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit eb24d973b036e4dddf505d8c12e905ecb1a688f9)
2024-04-21 16:28:16 +02:00
Jason Song
e7a484e401
Avoid importing modules/web/middleware in modules/session (#30584)
Related to #30375.

It doesn't make sense to import `modules/web/middleware` and
`modules/setting` in `modules/web/session` since the last one is more
low-level.

And it looks like a workaround to call `DeleteLegacySiteCookie` in
`RegenerateSession`, so maybe we could reverse the importing by
registering hook functions.

(cherry picked from commit 61457cdf6b49225ae831fd9fb084deadd8bdb0fb)
2024-04-21 16:28:16 +02:00
silverwind
1e06c1e392
Improve "Reference in new issue" modal (#30547)
Fixes: https://github.com/go-gitea/gitea/issues/29994

Also some misc enhancements done to the form in the modal.

<img width="840" alt="Screenshot 2024-04-17 at 23 02 55"
src="https://github.com/go-gitea/gitea/assets/115237/e71fba55-55cd-4e48-a497-6b1025c36a43">

(cherry picked from commit dd8e6ae270b4b5e91a152a145978029dacb938ff)
2024-04-21 16:28:16 +02:00
silverwind
688cc2320d
Add a few root files to lint-spell (#30530)
Files in root were not linted, add them. No new violations.

(cherry picked from commit 354705450a410329d253023d2c66ef6d68ecc046)

Conflicts:
	- CHANGELOG.md
	  Gitea specific, removed.
	- Makefile
	  Adjusted SPELLCHECK_FILES: we don't need to filter the
          CHANGELOG.md out. The conflict itself was resolved by manually
	  applying the change.
2024-04-21 16:28:16 +02:00
Jerry Jacobs
5271792666
Fixup app.example.ini for task section, which is now queue.task (#30555)
Config section `[task]` has been deprecated in favor of `[queue.task]`

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 86d4c8a4662e9ab49888569d77529d2d22292e6b)

Conflicts:
	- docs/content/administration/config-cheat-sheet.en-us.md
	- docs/content/administration/config-cheat-sheet.zh-cn.md
	  Removed, they're Gitea specific.
2024-04-21 16:28:16 +02:00
silverwind
b8dfea9ae3
Fix border-radius on view, blame and code search (#30545)
Fixes: https://github.com/go-gitea/gitea/issues/30540

1. Fix all these boxes by adding `bottom attached` and removing a
problematic CSS rule:

<img width="1319" alt="Screenshot 2024-04-17 at 22 25 31"
src="https://github.com/go-gitea/gitea/assets/115237/346445a4-4944-4003-a1ef-6f5b0eda624e">
<img width="643" alt="Screenshot 2024-04-17 at 22 21 18"
src="https://github.com/go-gitea/gitea/assets/115237/10f17ed3-9ad6-48de-92fa-bac6621815b9">

2. Change the "last commit" box to `ui segment` which has correct
border-radius. Also included is a tiny tweak to make author name ellipse
instead of wrap.

<img width="1331" alt="Screenshot 2024-04-17 at 22 23 23"
src="https://github.com/go-gitea/gitea/assets/115237/285fbd45-ced0-4d33-abe3-7384ffa03188">

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 31538133c32009532897989ad623067bd224f924)
2024-04-21 16:28:16 +02:00
silverwind
5b08c0a013
Disable enter key for accepting code completion in Monaco (#30548)
Fixes https://github.com/go-gitea/gitea/issues/28114 and behaviour
matches vscode on desktop as well.

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 49b80f8ac1cf9f0b56da0c73d0f34ef030f4c447)
2024-04-21 16:28:16 +02:00
Edward Zhang
b3a6596b54
Fix branch_protection api shows users/teams who has no readAccess (#30291)
Add some logic in `convert.ToBranchProtection` to return only the names
associated with readAccess instead of returning all names. This will
ensure consistency in behavior between the frontend and backend.
Fixes: #27694

---------

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: wenzhuo.zhang <wenzhuo.zhang@geely.com>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 02e183bf3fa502b7cef76e8dcdbf01b85ce641f0)
2024-04-21 16:28:16 +02:00
silverwind
3918db10c8
Run go generate and go vet on all packages (#30529)
Fixes: https://github.com/go-gitea/gitea/issues/30512

I think this does mean those tools would run on a potential `vendor`
directory, but I'm not sure we really support vendoring of dependencies
anymore.

`release` has a `vendor` prerequisite so likely the source tarballs
contain vendor files?

(cherry picked from commit 8e12ef911a1d10dedb03e3127c42ca76f9850aca)

Conflicts:
	- Makefile
	  Manually adjusted the changes.
2024-04-21 16:28:16 +02:00
Codeberg Translate
f0f8210279 [I18N] Translations update from Weblate (#3244)
Translations update from [Weblate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Current translation status:

![Weblate translation status](https://translate.codeberg.org/widget/forgejo/forgejo/horizontal-auto.svg)

Co-authored-by: Justman10000 <Justman10000@users.noreply.translate.codeberg.org>
Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: Dirk <Dirk@users.noreply.translate.codeberg.org>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Co-authored-by: Salif Mehmed <mail@salif.eu>
Co-authored-by: fnetX <otto@codeberg.org>
Co-authored-by: EssGeeEich <EssGeeEich@users.noreply.translate.codeberg.org>
Co-authored-by: Zughy <Zughy@users.noreply.translate.codeberg.org>
Co-authored-by: Xinayder <Xinayder@users.noreply.translate.codeberg.org>
Co-authored-by: m0s <m0s@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3244
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
2024-04-21 14:02:21 +00:00
silverwind
eea7ea9d0a
Fix and tweak pull request commit list (#30528)
Fixes https://github.com/go-gitea/gitea/issues/30493, regression from
https://github.com/go-gitea/gitea/pull/30374.

Also did the flexbox convertion as suggested by the existing comment.

<img width="850" alt="Screenshot 2024-04-16 at 22 28 48"
src="https://github.com/go-gitea/gitea/assets/115237/e8905944-620a-4211-b5c5-53ed3b3ee23e">

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 311f5261cdb23b46d3f510e40fd4e2ac06e376c0)
2024-04-21 12:10:57 +02:00
silverwind
36bddba74a
Fix install page checkboxes and dropdown width (#30526)
Fixes: https://github.com/go-gitea/gitea/issues/30523

1. Fix checkbox rendering
2. Fix width of selection dropdowns (was too small)

---------

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 4f276a336355c4bf999034fb79f0fe5c967ceb50)
2024-04-21 12:07:51 +02:00
Lunny Xiao
77c4a5e95b
Reduce unnecessary database queries on actions table (#30509)
(cherry picked from commit 6f7d70fb3d2624507c3ccd5640f6d1837259c27d)
2024-04-21 12:07:30 +02:00
silverwind
cfb8617fc8
Tweak and fix toggle checkboxes (#30527)
Fixes: https://github.com/go-gitea/gitea/issues/30524. Slightly restyled
them so that the "knob" is contained inside the background.

<img width="179" alt="Screenshot 2024-04-16 at 21 58 09"
src="https://github.com/go-gitea/gitea/assets/115237/be94517b-9cb7-46e2-ae96-fcf6767ce4ba">
<img width="187" alt="Screenshot 2024-04-16 at 21 58 50"
src="https://github.com/go-gitea/gitea/assets/115237/c13a1959-5c5a-4e88-9225-e5f6fb72e3e0">

(cherry picked from commit 5ccd042f7080e1f4ef4b96591e1b1002a4826115)
2024-04-21 12:06:42 +02:00
Tobias Balle-Petersen
23f032eaa5
Update API to return 'source_id' for users (#29718)
Using the API, a user's _source_id_ can be set in the _CreateUserOption_
model, but the field is not returned in the _User_ model.

This PR updates the _User_ model to include the field _source_id_ (The
ID of the Authentication Source).

(cherry picked from commit 58b204b813cd3a97db904d889d552e64a7e398ff)
2024-04-21 12:04:18 +02:00
yp05327
3662829cc9
Fix empty field login_name in API response JSON when creating user (#30511)
Fix #30508

ps: if `sourceID` is not set, `LoginName` will be ignored
(cherry picked from commit cf9061f44a439aa7775e301a7467dbda22a06eaa)
2024-04-21 11:59:16 +02:00
Bo-Yi Wu
e025ec0131
feat(api): implement branch/commit comparison API (#30349)
- Add new `Compare` struct to represent comparison between two commits
- Introduce new API endpoint `/compare/*` to get commit comparison
information
- Create new file `repo_compare.go` with the `Compare` struct definition
- Add new file `compare.go` in `routers/api/v1/repo` to handle
comparison logic
- Add new file `compare.go` in `routers/common` to define `CompareInfo`
struct
- Refactor `ParseCompareInfo` function to use `common.CompareInfo`
struct
- Update Swagger documentation to include the new API endpoint for
commit comparison
- Remove duplicate `CompareInfo` struct from
`routers/web/repo/compare.go`
- Adjust base path in Swagger template to be relative (`/api/v1`)

GitHub API
https://docs.github.com/en/rest/commits/commits?apiVersion=2022-11-28#compare-two-commits

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit c70e442ce4b99e2a1f1bf216afcfa1ad78d1925a)

Conflicts:
	- routers/api/v1/swagger/repo.go
	  Conflict resolved by manually adding the lines from the Gitea
	  PR.
2024-04-21 11:58:18 +02:00
silverwind
ac0a20365b
Fix various overflows on actions view (#30344)
Fix a number of text overflow issues in actions view and run list. Also
improve mobile view of run list.

Fixes: https://github.com/go-gitea/gitea/issues/30328

<img width="782" alt="Screenshot 2024-04-08 at 23 10 16"
src="https://github.com/go-gitea/gitea/assets/115237/3d9f9f88-3eab-44a0-8144-30c2b58b24cb">
<img width="935" alt="Screenshot 2024-04-08 at 23 17 46"
src="https://github.com/go-gitea/gitea/assets/115237/581d73ea-a31d-416b-be3a-47313b879b12">
<img width="1008" alt="Screenshot 2024-04-08 at 23 49 05"
src="https://github.com/go-gitea/gitea/assets/115237/c5d10565-f285-477f-8659-1caf94797647">
<img width="397" alt="Screenshot 2024-04-08 at 23 55 30"
src="https://github.com/go-gitea/gitea/assets/115237/368aaa75-1903-4058-9d75-d1fe91c564d6">

(cherry picked from commit b9f69b4a4d1d6b5b1f94852f6dfcae41b30658ff)
2024-04-21 11:53:50 +02:00
yp05327
b691a3e6b8
Convert max file name length to 255 (#30489)
Quick/Partly fix #29907

In Linux and MacOS, by default the max file name length is 255.
In windows, it depends on the version and settings, and has no file name
length limitation, but has path length limitation.
By default it is 260, considering path length is longer than filename,
so I think it is ok to do this.

For Windows, see
https://learn.microsoft.com/windows/win32/fileio/maximum-file-path-limitation?tabs=registry
For Linux, see
https://github.com/torvalds/linux/blob/master/include/uapi/linux/limits.h#L12-L13
For MacOS, see
https://discussions.apple.com/thread/254788848?sortBy=best

(cherry picked from commit 2c80421243ed1fd6f53c3e1a84c06648524f7c66)
2024-04-21 11:53:41 +02:00
silverwind
579ca341b4
Fix overflow on issue dependency (#30484)
Small tweak here to prevent this and likely other events from
overflowing in the timeline:

<img width="895" alt="Screenshot 2024-04-14 at 22 53 17"
src="https://github.com/go-gitea/gitea/assets/115237/001b4f6b-f649-44ff-b2f0-c8e0dedeb384">

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 1508a85f6235814271ea927d651bcbcd8c9f5f18)
2024-04-21 11:39:14 +02:00
silverwind
d99d2e3ef4
Kill all gitea processes before air build (#30477)
So it happened to me multiple times that air leaves zombie processes
after termination. I think ultimately it's some kind of bug in air, but
we can work around.

The change in the delay is unrelated to the zombie processes but seems
to help a bit with duplicate changes resulting in duplicate `make
generate` as seen here:

<img width="424" alt="Screenshot 2024-04-14 at 17 05 47"
src="https://github.com/go-gitea/gitea/assets/115237/6dd1d787-6be3-4fb2-8b0b-cd711c281793">

---------

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 994920c677b04a720726d982e4d6212664b82a43)
2024-04-21 11:38:58 +02:00
GiteaBot
8dfbfd8e7d
[skip ci] Updated licenses and gitignores
(cherry picked from commit 708e87e17df2b6a03eca3cac026a51beed296b5b)
2024-04-21 11:38:04 +02:00
silverwind
ff306281b9
Revert 100% label max-width (#30481)
Partial revert of https://github.com/go-gitea/gitea/pull/30479

It's causing problems at least here:
https://github.com/go-gitea/gitea/pull/30344#discussion_r1564895591

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit ef3941f2ebe9d8353f9546e7df00b24092c71cb7)
2024-04-21 11:37:55 +02:00
wxiaoguang
9f8ebe489f
Improve flex ellipsis (#30479)
![image](https://github.com/go-gitea/gitea/assets/2114189/857794d8-2170-42be-a5bf-47ebacbafebd)

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit b84baf21fa19521e1ab303a60918c74f85fcad1c)

Conflicts:
	- web_src/css/base.css
	  Trivial commit resolved by removing the conflicting part.
	  (it conflicted because we did not pick a previous PR)
2024-04-21 11:35:31 +02:00
wxiaoguang
b122c6ef8b
Improve "must-change-password" logic and document (#30472)
Unify the behaviors of "user create" and "user change-password".

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 4c6e2da088cf092a9790df5c84b7b338508fede7)

Conflicts:
	- cmd/admin_user_create.go
          Resolved by favoring Gitea's version of the conflicting areas.
	- docs/content/administration/command-line.en-us.md
          Removed, Gitea specific.
2024-04-21 11:29:08 +02:00
silverwind
d8258482e2
Use flex-container for dashboard layout (#30214)
Added new class `flex-container-sidebar` to cover the dashboard sidebar.
Previously this was 37.5% with more padding. Now there is less empty
space between the two columns and this matches other pages like repo or
admin settings page.

Desktop:

<img width="1345" alt="Screenshot 2024-03-31 at 15 11 36"
src="https://github.com/go-gitea/gitea/assets/115237/717389d9-d42c-466e-a8fe-e968f79447fd">

Mobile:
<img width="444" alt="Screenshot 2024-03-31 at 15 11 44"
src="https://github.com/go-gitea/gitea/assets/115237/7faa840b-513a-411b-bf2d-26d52b9b71a0">

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 044cc169e75dccbf1d846f8774ef2feccd0da1fd)
2024-04-21 11:12:00 +02:00
silverwind
3e53c51903
Pulse page improvements (#30149)
1. add border-radius and spacing to bars
2. use tailwind background classes
3. Add more space around activity list headers

<img width="983" alt="Screenshot 2024-03-27 at 23 40 54"
src="https://github.com/go-gitea/gitea/assets/115237/70f72c30-e69f-4ecb-882f-32b8bc94d638">
<img width="1020" alt="Screenshot 2024-03-27 at 23 41 02"
src="https://github.com/go-gitea/gitea/assets/115237/a35dbbda-515c-40b0-938a-d759f9686b8e">

(cherry picked from commit 6999a88fd9bef6baa0a8cc5f63e419079611fc9b)
2024-04-21 11:08:33 +02:00
Earl Warren
bb11bf8748 Merge pull request 'cleanup(tests): remove manual testing submodule' (#3347) from earl-warren/forgejo:wip-manual-testing into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3347
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-04-21 08:46:02 +00:00
Earl Warren
69c614162f
cleanup(tests): remove manual testing submodule
It is not effective, a different approach is needed
2024-04-21 10:13:51 +02:00
Earl Warren
d029796e1e Merge pull request 'Fix some edge cases with permalink rendering' (#3286) from Mai-Lapyst/forgejo:fix-permalink-rendering-edgecases into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3286
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-20 10:24:05 +00:00
0ko
38f2aa871e [UI] Refactor display of milestone issue list header 2024-04-20 14:11:38 +05:00
0ko
592367c43a [UI] Fix milestone header inconsistencies with issues/PRs 2024-04-20 14:06:26 +05:00
Earl Warren
41e0507cd3 Merge pull request 'hooks: Harden when we accept push options that change repo settings' (#3314) from earl-warren/forgejo:wip-push-options into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3314
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
2024-04-20 05:57:35 +00:00
0ko
8947948a0a Merge pull request 'Various improvements to pages: notifications and subscriptions' (#3175) from 0ko/forgejo:meet-your-subscribtions into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3175
Reviewed-by: Otto <otto@codeberg.org>
2024-04-20 05:27:15 +00:00
Mai-Lapyst
ee2f71f71b
Adds support for log-line groups
Supports special rendering of `##[group]` and `##[endgroup]`.
2024-04-20 07:02:58 +02:00
Renovate Bot
ba0f05b286 Update dependency mini-css-extract-plugin to v2.9.0 2024-04-20 00:03:42 +00:00
Mai-Lapyst
acfae43253
Fix panic where now a third link breaks everything 2024-04-19 23:54:46 +02:00
Mai-Lapyst
e9eacdecd2
Fix issue where rendering stops after the first invalid parmalink 2024-04-19 18:21:21 +02:00
Gergely Nagy
8eba631f8d
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-19 16:53:14 +02:00