Commit graph

16148 commits

Author SHA1 Message Date
KN4CK3R
44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Giteabot
1fd3cc3217
Fix DownloadFunc when migrating releases (#27887) (#27889)
Backport #27887 by @Zettat123

We should not use `asset.ID` in DownloadFunc because DownloadFunc is a
closure.

1bf5527eac/services/migrations/gitea_downloader.go (L284-L295)

A similar bug when migrating from GitHub has been fixed in #14703. This
PR fixes the bug when migrating from Gitea and GitLab.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 4a48370d91)
2023-11-14 13:17:12 +01:00
Lunny Xiao
f2c3491b61
Fix http protocol auth (#27875) (#27878)
backport #27875

(cherry picked from commit 1dedf9bba0)
2023-11-14 13:17:12 +01:00
Giteabot
713652e3d8
Fix package webhook (#27839) (#27854)
Backport #27839 by @lunny

Fix #23742

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 2147bfde05)
2023-11-14 13:17:12 +01:00
Lunny Xiao
b4fb797b32
Revert "fix orphan check for deleted branch (#27310) (#27320)" (#27763)
Because branch table is created until 1.21
Fix #27508

(cherry picked from commit a1c232cae3)
2023-11-14 13:17:12 +01:00
Giteabot
2a5d5da930
Fix label render containing invalid HTML (#27752) (#27761)
Backport #27752 by @earl-warren

- The label HTML contained a quote that wasn't being closed.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1651

(cherry picked from commit e2bc2c9a1f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 63512cd15d)
2023-11-14 13:17:12 +01:00
Giteabot
64373004b5
Fix org team endpoint (#27721) (#27729)
Backport #27721 by @lng2020

Fix #27711

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 71803d33e3)
2023-11-14 13:17:11 +01:00
Giteabot
2a321fcfda
Adapt .changelog.yml to new labeling system (#27701) (#27708)
Backport #27701 by @delvh

Otherwise, it is not possible anymore to generate changelogs.

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit a954cc3fb9)
2023-11-14 13:17:11 +01:00
Giteabot
d6798ae015
Support allowed hosts for webhook to work with proxy (#27655) (#27674)
Backport #27655 by @wolfogre

When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit ca4418eff1)
2023-11-14 13:17:11 +01:00
Giteabot
cf1174acbf
Fix poster is not loaded in get default merge message (#27657) (#27665)
Backport #27657 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 80c0c88152)
2023-11-14 13:17:11 +01:00
Giteabot
62c33f92a9
Fix 404 when deleting Docker package with an internal version (#27615) (#27629)
Backport #27615 by @lng2020

close #27601
The Docker registry has an internal version, which leads to 404

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 171950a0d4)
2023-11-14 13:17:11 +01:00
Giteabot
f142ae18c0
Fix attachment download bug (#27486) (#27570)
Backport #27486 by @lunny

Fix #27204

This PR allows `/<username>/<reponame>/attachments/<uuid>` access with
personal access token and also changed attachments API download url to
it so it can be download correctly.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 7b96f71bc7)
2023-11-14 13:17:11 +01:00
yp05327
2e50870688
Avoid run change title process when the title is same (#27467) (#27557)
Backport #27467 manually.

(cherry picked from commit e6d1afaee3)
2023-11-14 13:17:11 +01:00
silverwind
2716e2f626
Fix mermaid flowchart margin issue (#27503) (#27517)
Backport https://github.com/go-gitea/gitea/pull/27503 to 1.20

Fixes: https://github.com/go-gitea/gitea/issues/27435
Related: https://github.com/mermaid-js/mermaid/issues/4907

<img width="924" alt="image"

src="https://github.com/go-gitea/gitea/assets/115237/494a1d2e-4c56-48d0-9843-82a5e5aa977e">

(cherry picked from commit 1d4c193df5)
2023-11-14 13:17:11 +01:00
Giteabot
e0fe8a8ab4
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
(cherry picked from commit 4ffa683820)
2023-11-14 13:17:11 +01:00
Giteabot
c50af699ea
When comparing with an non-exist repository, return 404 but 500 (#27437) (#27441)
Backport #27437 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 973b7f6298)
2023-11-14 13:17:11 +01:00
Lunny Xiao
915c60f8c1
Add 1.20.5 changelog (#27404)
(cherry picked from commit 4126aad4aa)
2023-11-14 13:17:11 +01:00
Earl Warren
a1e6944bd7
Revert "[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP"
This reverts commit 9413fd0274.
2023-11-14 13:17:11 +01:00
Earl Warren
d7e67cf616
[SEMVER] 5.0.6+0-gitea-1.20.5 2023-11-14 13:17:11 +01:00
Earl Warren
ee48c0d5ea
[CI] Forgejo Actions based CI for PR & branches (squash) use node:20-bookworm
No longer use the custom test-env image, it is unecessary technical
debt.

Also upgrade to bitnami/minio:2023.8.31 to align with what Gitea tests

(cherry picked from commit d9b77fd273)

Conflicts:
	.forgejo/workflows/testing.yml
	* mysql was mysql-8 in v1.21 and below
	* No MINIO testing
	* go 1.20 instead of go 1.21
2023-10-20 17:30:34 +02:00
Loïc Dachary
e58e7bf088
[GITEA] rework long-term authentication (squash) add migration
Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
2023-10-05 12:35:59 +02:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Earl Warren
3759c1a7c1
[SEMVER] 5.0.5+0-gitea-1.20.5 2023-10-03 14:49:26 +02:00
Lunny Xiao
4b23f11864
Fix bug of review request number (#27406)
Manually backport #27104 without tests because too many conflicted files
to backport it completely.

(cherry picked from commit 5c96a2be87)
2023-10-03 14:48:40 +02:00
Giteabot
4c21b82e18
Fix git 2.11 error when checking IsEmpty (#27393) (#27396)
Backport #27393 by @wxiaoguang

Fix #27389

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit acedf0f702)
2023-10-03 14:48:40 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot
5e2d16de0e
Add logs for data broken of comment review (#27326) (#27344)
Backport #27326 by @lunny

Fix #27306

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit b6b71c78c4)
2023-10-03 14:48:40 +02:00
Giteabot
101cfc1f82
fix orphan check for deleted branch (#27310) (#27320)
Backport #27310 by @earl-warren

- Modify the deleted branch orphan check to check for the new table
instead.
- Regression from 6e19484f4d
- Resolves https://codeberg.org/forgejo/forgejo/issues/1522

(cherry picked from commit c1d888686f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 2138661dae)
2023-10-03 14:48:40 +02:00
Giteabot
fa5c61cab7
Fix PushEvent NullPointerException jenkinsci/github-plugin (#27203) (#27249)
Backport #27203 by @Nabapadma-sarker

Fixes #27202

Co-authored-by: Nabapadma-sarker <nabapadmacse1991@gmail.com>
(cherry picked from commit 4b37eb2c23)
2023-10-03 14:48:40 +02:00
Giteabot
ab9b1b850b
Fix z-index on markdown completion (#27237) (#27238)
Backport #27237 by @silverwind

Fixes: https://github.com/go-gitea/gitea/issues/27230

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit dd44c2164e)
2023-10-03 14:48:18 +02:00
Giteabot
c590235171
Update database-preparation and add note re: MariaDB (#27232) (#27235)
Backport #27232 by @techknowlogick

update DB docs per feedback.
https://gitea.com/gitea/gitea-docusaurus/issues/69

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
(cherry picked from commit 2604571993)
2023-10-03 14:48:18 +02:00
KN4CK3R
13423d6eda
Quote table release in sql queries (#27205) (#27219)
Backport of #27205

Fixes #27174

`release` is a reserved keyword in MySql. I can't reproduce the issue on
my setup and we have a test for that code but it seems there can be
setups where it fails.

(cherry picked from commit eae6985b63)
2023-10-03 14:48:18 +02:00
Giteabot
1b1f878204
Fix release URL in webhooks (#27182) (#27184)
Backport #27182 by @jolheiser

Resolves #27180

`URL` points to the API URL, `HTMLURL` points to the web page.

Notably, however, for PRs they are the same URL. I switched them to use
HTMLURL to match the rest of the codebase terminology.

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit d8583edfe7)
2023-10-03 14:48:18 +02:00
Giteabot
f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112)
2023-10-03 14:48:08 +02:00
Giteabot
dc6020645b
Fix successful return value for SyncAndGetUserSpecificDiff (#27152) (#27156)
Backport #27152 by @delvh

A function should not return an error when it is successful.
Otherwise, things like
https://discord.com/channels/322538954119184384/322538954119184384/1153705341620600833
happen…

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 25233a9bdc)
2023-10-03 14:48:08 +02:00
Earl Warren
99a93025d2
[SEMVER] 5.0.4+0-gitea-1.20.4 2023-09-20 12:51:52 +02:00
Giteabot
0d86ea0c43
Improve actions docs related to pull_request event (#27126) (#27145)
Backport #27126 by @Zettat123

Related to #27039

The `ref` property in Gitea Actions is different from GitHub Actions.
This PR improves the documentation to explain the difference.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 7a99c7b83c)
2023-09-20 12:50:46 +02:00
Giteabot
c041114a20
fix pagination for followers and following (#27127) (#27138)
Backport #27127 by @earl-warren

- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1477

(cherry picked from commit c1a136318b)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58)
2023-09-20 12:50:46 +02:00
Giteabot
f54189092f
services/wiki: Close() after error handling (#27129) (#27137)
Backport #27129 by @earl-warren

Refs: https://codeberg.org/forgejo/forgejo/pulls/1385

Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>
(cherry picked from commit 589e7d346f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Lars Lehtonen <lars.lehtonen@gmail.com>
(cherry picked from commit 882e465c3a)
2023-09-20 12:50:46 +02:00
Giteabot
64a418dfc7
Fix issue templates when blank isses are disabled (#27061) (#27082)
Backport #27061 by @JakobDev

Fixes #27060

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit b139234fa8)
2023-09-20 12:50:46 +02:00
sebastian-sauer
3ea5384241
Load reviewer before sending notification (#27063) (#27064)
Fixes #27035

(cherry picked from commit d8b39324d7)
2023-09-20 12:50:46 +02:00
Lunny Xiao
745b45406d
Fix context cache bug & enable context cache for dashabord commits' authors(#26991) (#27017)
backport #26991

Unfortunately, when a system setting hasn't been stored in the database,
it cannot be cached.
Meanwhile, this PR also uses context cache for push email avatar display
which should avoid to read user table via email address again and again.

According to my local test, this should reduce dashboard elapsed time
from 150ms -> 80ms .

(cherry picked from commit 9df573bddc)
2023-09-20 12:50:46 +02:00
wxiaoguang
8f6d442a04
Use secure cookie for HTTPS sites (#26999) (#27013)
Backport #26999

If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's
default value should be true.

And, if a user visits an "http" site with "https" AppURL, they won't be
able to login, and they should have been warned. The only problem is
that the "language" can't be set either in such case, while I think it
is not a serious problem, and it could be fixed easily if needed.

(cherry picked from commit b0a405c5fa)
2023-09-20 12:50:46 +02:00
Infinoid
2e9fa11bb3
Correct the database.LOG_SQL default value in config cheat sheet (#26997) (#27002)
This is a manual backport of #26997 to v1.20.

(cherry picked from commit 3c53740244)
2023-09-20 12:50:46 +02:00
Giteabot
957a64d91a
Fix INI parsing for value with trailing slash (#26995) (#27001)
Backport #26995 by @wxiaoguang

Fix #26977 (a temp fix)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit da7d7e60d8)
2023-09-20 12:50:46 +02:00
Lunny Xiao
56a17f3565
Fix changelog typo (#26973)
(cherry picked from commit e502be46f3)
2023-09-20 12:50:46 +02:00
Gusted
4b9a473e12
[GITEA] Use restricted sanitizer for repository description
- Backport of https://codeberg.org/forgejo/forgejo/pulls/1433
  - Currently the repository description uses the same sanitizer as a
normal markdown document. This means that element such as heading and
images are allowed and can be abused.
  - Create a minimal restricted sanitizer for the repository description,
which only allows what the postprocessor currently allows, which are
links and emojis.
  - Added unit testing.
  - Resolves https://codeberg.org/forgejo/forgejo/issues/1202
  - Resolves https://codeberg.org/Codeberg/Community/issues/1122

(cherry picked from commit a8afa4cd18)
2023-09-13 17:17:37 +02:00
Earl Warren
5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
Earl Warren
b63df8b5c4
[SEMVER] 5.0.3+0-gitea-1.20.4 2023-09-08 09:36:09 +02:00
techknowlogick
11af4c9aad
1.20.4 changelog (#26966)
(cherry picked from commit 4a886de71e)
2023-09-08 08:10:08 +02:00