Commit graph

20183 commits

Author SHA1 Message Date
Earl Warren 14d079a1eb Merge pull request '[FEAT] Enable INVALIDATE_REFRESH_TOKENS' (#4633) from gusted/sec-oauth into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4633
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 20:45:22 +00:00
Earl Warren 5a922ca983 Merge pull request 'Release note for #4595' (#4634) from beowulf/release-notes/4595.md into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4634
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 18:18:30 +00:00
Gusted ea1a0ebbc3 Merge pull request '[SECURITY] Notify users about account security changes' (#4635) from gusted/sec-notify into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4635
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 17:50:59 +00:00
Beowulf 44156b6006
added release notes for pr 4595
(removed support for the APA citation format)
2024-07-23 18:47:42 +02:00
Gusted 4383da91bd
[SECURITY] Notify users about account security changes
- Currently if the password, primary mail, TOTP or security keys are
changed, no notification is made of that and makes compromising an
account a bit easier as it's essentially undetectable until the original
person tries to log in. Although other changes should be made as
well (re-authing before allowing a password change), this should go a
long way of improving the account security in Forgejo.
- Adds a mail notification for password and primary mail changes. For
the primary mail change, a mail notification is sent to the old primary
mail.
- Add a mail notification when TOTP or a security keys is removed, if no
other 2FA method is configured the mail will also contain that 2FA is
no longer needed to log into their account.
- `MakeEmailAddressPrimary` is refactored to the user service package,
as it now involves calling the mailer service.
- Unit tests added.
- Integration tests added.
2024-07-23 18:31:47 +02:00
Earl Warren ded237ee77 Merge pull request '[gitea] week 2024-30 cherry pick (gitea/main -> forgejo)' (#4607) from algernon/wcp/2024-30 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4607
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 16:01:28 +00:00
banaanihillo 522e652e8d [accessibility] Add keyboard support for test actions (#4490)
- Existing gear icon keyup handler fixed:
moved the handler onto its descendant button,
to prevent it from incorrectly firing on the check-box elements
- Check-box elements: keyup elements for space and enter added,
as well as tabindex elements to make them able to gain focus

<!--
Before submitting a PR, please read the contributing guidelines:
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING.md
-->

To test the check boxes:
- Set up an action, and visit the action's job page
- Navigate onto the job container (via Tab et al.)
- Use the gear icon with Space or Enter
- Tick the check-box items with Space or Enter

To test the elements beside the chevron icons:
- Navigate onto the element via Tab et al.
- Open/close them via Space or Enter

I have not had a chance to test the latter fix (https://codeberg.org/forgejo/forgejo/issues/4476#issuecomment-2092312) myself yet; feel free to reject this one in case the latter fix does not work as it should, and I will break this up into two separate pull requests.

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4490)</a>: <!--number 4490 --><!--line 0 --><!--description W2FjY2Vzc2liaWxpdHldIEFkZCBrZXlib2FyZCBzdXBwb3J0IGZvciB0ZXN0IGFjdGlvbnM=-->[accessibility] Add keyboard support for test actions<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4490
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: banaanihillo <banaanihillo@noreply.codeberg.org>
Co-committed-by: banaanihillo <banaanihillo@noreply.codeberg.org>
2024-07-23 15:37:19 +00:00
Earl Warren dd9abfcc09 Merge pull request 'fix(release-notes-assistant): upgrade to always insert a newline' (#4646) from twenty-panda/forgejo:wip-rna into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4646
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 13:20:18 +00:00
Gusted 3ba64bd038 Merge pull request 'Reserve the devtest username' (#4638) from ikuyo/forgejo:reserve-devtest into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4638
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-07-23 12:59:16 +00:00
Twenty Panda 80a1461e7d fix(release-notes-assistant): upgrade to always insert a newline
* if <!-- is inserted just after a <!-- --> it will not render
  well, it needs to be separated by a newline
* do not use ? in sed -E, it is not the same as with JavaScript
2024-07-23 13:53:46 +02:00
Earl Warren 1fa7d1cbcf Merge pull request 'fix(release-notes-assistant): be more conservative when cleaning up' (#4644) from twenty-panda/forgejo:wip-rna into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4644
2024-07-23 09:42:20 +00:00
Twenty Panda 043214d751 fix(release-notes-assistant): be more conservative when cleaning up
Do not replace http*: it breaks URLs.
2024-07-23 11:37:40 +02:00
Earl Warren 6e86f4056e Merge pull request 'fix(ci): use a PAT for release-notes-assistant' (#4643) from earl-warren/forgejo:wip-rna-preview into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4643
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-07-23 08:20:01 +00:00
Earl Warren 9bbe00c84b
fix(ci): use a PAT for release-notes-assistant
GITHUB_TOKEN does not have permission to write the repository and is
not allowed to edit or comment on pull requests because of that. A PAT
from a regular user who does **not** have permission to write to the
repository either but who is in a the contributors team will have
permissions to do that because there is a "write pull request"
permission given to the team.
2024-07-23 10:02:00 +02:00
Earl Warren 2c2f2ffee2 Merge pull request 'update the PR description with the release notes draft' (#4612) from wip-rna-preview into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4612
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-07-23 07:30:59 +00:00
Twenty Panda 5c734d8885
tests: update the PR description with the release notes draft
If the 'worth a release-note' label is set, add a release note entry
to the description of the pull request as a preview.

* use the `release-notes/<pr-number>.md` file if any
* otherwise use the pull request title

Refs: https://code.forgejo.org/forgejo/release-notes-assistant
2024-07-23 09:27:43 +02:00
Earl Warren 03b95d20fa Merge pull request 'feat(ui): sort milestones by name by default instead of the due date' (#4625) from gusted/forgejo-gt-27084 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4625
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 06:08:24 +00:00
Ikuyo 859cc23dc2
Add missing trailing comma 2024-07-23 11:04:57 +05:00
Earl Warren 767f0ed63f Merge pull request '[CHORE] Add playwright eslint plugin' (#4631) from gusted/playwright-eslint into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4631
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-23 06:02:12 +00:00
Earl Warren d58b9b4fe0 Merge pull request 'feat(cli): allow updates to runners' secrets' (#4619) from tseeker/forgejo:20240722-update-secret into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4619
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-07-23 04:59:51 +00:00
0ko e03922a009 Merge pull request '[I18N] Add common section to new translation files' (#4632) from gusted/tr-fix into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4632
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-07-23 04:14:22 +00:00
Ikuyo 90c0e9dace
Add devtest in reserved usernames test 2024-07-23 08:38:55 +05:00
Ikuyo 93d0836241
Reserve devtest username 2024-07-23 08:18:20 +05:00
forgejo-renovate-action 2ad871e653 Merge pull request 'Update dependency @playwright/test to v1.45.3 (forgejo)' (#4637) from renovate/forgejo-playwright-monorepo into forgejo 2024-07-23 00:42:45 +00:00
Renovate Bot 1d5286943f Update dependency @playwright/test to v1.45.3 2024-07-23 00:03:37 +00:00
Gusted 2f98430e6f Merge pull request 'Update dependency webpack to v5.93.0 (forgejo)' (#4484) from renovate/forgejo-webpack-5.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4484
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-07-22 22:41:44 +00:00
Gusted 89b1723d35
[FEAT] Enable INVALIDATE_REFRESH_TOKENS
- It's possible to detect if refresh tokens are used more than once, if
it's used more than it's a indication of a replay attack and it should
invalidate the associated access token. This behavior is controlled by
the `INVALIDATE_REFRESH_TOKENS` setting.
- Altough in a normal scenario where TLS is being used, it should be
very hard to get to situation where replay attacks are being used, but
this is better safe than sorry.
- Enable `INVALIDATE_REFRESH_TOKENS` by default.
2024-07-22 20:45:13 +02:00
Gusted a67e420c38
[I18N] Add common section to new translation files
- Follow up for #4576
- Weblate currently cannot parse ini files if they contain keys that
don't belong to a section.
2024-07-22 20:14:24 +02:00
Gusted 40baa96fc3
[CHORE] Add playwright eslint plugin
- Add https://github.com/playwright-community/eslint-plugin-playwright
as a linter for the playwright tests.
- `no-networkidle` and `no-conditional-in-test` are disabled as fixing
those doesn't seem to really improve testing quality for our use case.
- Some non-recommended linters are enabled to ensure consistency (the
prefer rules).
2024-07-22 20:03:32 +02:00
0ko de24846309 Merge pull request 'Allow .webp attachments by default' (#4605) from 0ko/forgejo:webp into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4605
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-07-22 15:34:32 +00:00
0ko e819c1622e i18n: restore Malayalam and Serbian files, remove ml-IN from the language selector (#4576)
* Closes https://codeberg.org/forgejo/forgejo/issues/4563
* A followup to my 2024-February investigation in the Localization room

* Restore Malayalam and Serbian locales that were deleted in 067b0c2664 and f91092453e. Bulgarian was also deleted, but we already have better Bulgarian translation.
* Remove ml-IN from the language selector. It was not usable for 1.5 years, has ~18% completion and was not maintained in those ~1.5 years. It could also have placeholder bugs due to refactors.

Restoring files gives the translators a base to work with and makes the project advertised on Weblate homepage for logged in users in the Suggestions tab. Unlike Gitea, we store our current translations directly in the repo and not on a separate platform, so it makes sense to add these files back.
Removing selector entry avoids bugs and user confusion. I will make a followup for the documentation.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4576
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-07-22 14:08:15 +00:00
silverwind f37d8fc0ed
Remove unneccessary uses of word-break: break-all (#31637)
Fixes: https://github.com/go-gitea/gitea/issues/31636

1. Issue sidebar topic is disussed in
https://github.com/go-gitea/gitea/issues/31636
2. Org description already has `overflow-wrap: anywhere` to ensure no
overflow.

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 0c1127a2fb4c07576b4a2e4cffbcd2b0c8670a27)
2024-07-22 15:50:57 +02:00
Gergely Nagy 0792f81e04
Add a release note for cherry-picked features
This adds a release note file for features cherry picked during the
2024-30 weekly gitea->forgejo cherry pick.

Thanks @earl-warren for the notes themselves!

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-07-22 15:46:01 +02:00
Rowan Bohde 21fdd28f08
allow synchronizing user status from OAuth2 login providers (#31572)
This leverages the existing `sync_external_users` cron job to
synchronize the `IsActive` flag on users who use an OAuth2 provider set
to synchronize. This synchronization is done by checking for expired
access tokens, and using the stored refresh token to request a new
access token. If the response back from the OAuth2 provider is the
`invalid_grant` error code, the user is marked as inactive. However, the
user is able to reactivate their account by logging in the web browser
through their OAuth2 flow.

Also changed to support this is that a linked `ExternalLoginUser` is
always created upon a login or signup via OAuth2.

Ideally, we would also refresh permissions from the configured OAuth
provider (e.g., admin, restricted and group mappings) to match the
implementation of LDAP. However, the OAuth library used for this `goth`,
doesn't seem to support issuing a session via refresh tokens. The
interface provides a [`RefreshToken`
method](https://github.com/markbates/goth/blob/master/provider.go#L20),
but the returned `oauth.Token` doesn't implement the `goth.Session` we
would need to call `FetchUser`. Due to specific implementations, we
would need to build a compatibility function for every provider, since
they cast to concrete types (e.g.
[Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132))

---------

Co-authored-by: Kyle D <kdumontnu@gmail.com>
(cherry picked from commit 416c36f3034e228a27258b5a8a15eec4e5e426ba)

Conflicts:
	- tests/integration/auth_ldap_test.go
	  Trivial conflict resolved by manually applying the change.
	- routers/web/auth/oauth.go
	  Technically not a conflict, but the original PR removed the
	  modules/util import, which in our version, is still in use. Added it
	  back.
2024-07-22 15:44:13 +02:00
6543 004cc6dc0a
Add option to change mail from user display name (#31528)
Make it posible to let mails show e.g.:

`Max Musternam (via gitea.kithara.com) <gitea@kithara.com>`

Docs: https://gitea.com/gitea/docs/pulls/23

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit 0f533241829d0d48aa16a91e7dc0614fe50bc317)

Conflicts:
	- services/mailer/mail_release.go
	  services/mailer/mail_test.go

	  In both cases, applied the changes manually.
2024-07-22 15:44:13 +02:00
Lunny Xiao 54f2dcff9d
Upgrade xorm to v1.3.9 and improve some migrations Sync (#29899)
Co-authored-by: 6543 <6543@obermui.de>
(cherry picked from commit 0d08bb6112884411eb4f58b056278d3c824a8fc0)
2024-07-22 15:44:13 +02:00
6543 d0227c236a
Issue Templates: add option to have dropdown printed list (#31577)
Issue template dropdown can have many entries, and it could be better to
have them rendered as list later on if multi-select is enabled.

so this adds an option to the issue template engine to do so.

DOCS: https://gitea.com/gitea/docs/pulls/19

---

## demo:

```yaml
name: Name
title: Title
about: About
labels: ["label1", "label2"]
ref: Ref
body:
  - type: dropdown
    id: id6
    attributes:
      label: Label of dropdown (list)
      description: Description of dropdown
      multiple: true
      list: true
      options:
        - Option 1 of dropdown
        - Option 2 of dropdown
        - Option 3 of dropdown
        - Option 4 of dropdown
        - Option 5 of dropdown
        - Option 6 of dropdown
        - Option 7 of dropdown
        - Option 8 of dropdown
        - Option 9 of dropdown
```

![image](https://github.com/user-attachments/assets/102ed0f4-89da-420b-ab2a-1788b59676f9)

![image](https://github.com/user-attachments/assets/a2bdb14e-43ff-4cc6-9bbe-20244830453c)

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit 1064e817c4a6fa6eb5170143150505503c4ef6ed)
2024-07-22 15:44:13 +02:00
Gusted b67fa954a6
Make it consistent with the other sorting filters 2024-07-22 15:01:36 +02:00
Bartlomiej Komendarczuk 5e8a830505
[PORT] Added default sorting milestones by name (gitea#27084)
Resolves https://github.com/go-gitea/gitea/issues/26996
Added default sorting for milestones by name.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

---

Conflict resolution: trivial, was due to the improvement made to 'the due
date sorting' strings.

(cherry picked from commit e8d4b7a8b198eca3b0bd117efb422d7d7cac93fe)
2024-07-22 14:55:58 +02:00
Earl Warren d405143919 Merge pull request 'fix(actions): no edited event triggered when a title is changed' (#4618) from twenty-panda/forgejo:wip-notify-title into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4618
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-22 11:45:48 +00:00
Emmanuel BENOÎT 320ab7ed7f
feat(cli): allow updates to runners' secrets
This commit allows the `forgejo-cli actions register` command to change
an existing runner's secret, as discussed in #4610.

It refactors `RegisterRunner` to extract the code that hashes the token,
moving this code to a method called `UpdateSecret` on `ActionRunner`.
A test for the method has been added.

The `RegisterRunner` function is updated so that:
- it relies on `ActionRunner.UpdateSecret` when creating new runners,
- it checks whether an existing runner's secret still matches the one
  passed on the command line,
- it updates the runner's secret if it wasn't created and it no longer
  matches.

A test has been added for the new behaviour.
2024-07-22 11:55:43 +02:00
Twenty Panda f6000c3760 fix(actions): no edited event triggered when a title is changed
When the title of an issue or a pull request is changed, the edited
event must be triggered, in the same way it is when the body of the
description is changed.

The web endpoints and the API endpoints for both pull requests and
issues rely on issue_service.ChangeTitle which calls
notify_service.IssueChangeTitle.
2024-07-22 11:25:20 +02:00
Emmanuel BENOÎT fdb1874ada feat(cli): add --keep-labels flag to forgejo actions register (#4610)
This commit adds a new flag, `--keep-labels`, to the runner registration CLI command. If this flag is present and the runner being registered already exists, it will prevent the runners' labels from being reset.

In order to accomplish this, the signature of the `RegisterRunner` function from the `models/actions` package has been modified so that the labels argument can be nil. If it is, the part of the function that updates the record will not change the runner.

Various tests have been added for this function, for the following cases: new runner with labels, new runner without label, existing runner with labels, existing runner without labels.

The flag has been added to the CLI command, the action function has been updated to read the labels parameters through a separate function (`getLabels`), and test cases for this function have been added.

<!--
Before submitting a PR, please read the contributing guidelines:
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING.md
-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4610
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Emmanuel BENOÎT <tseeker@nocternity.net>
Co-committed-by: Emmanuel BENOÎT <tseeker@nocternity.net>
2024-07-22 07:33:45 +00:00
Earl Warren 8030ebf64c Merge pull request 'Update module xorm.io/xorm to v1.3.9 (forgejo)' (#4608) from renovate/forgejo-xorm.io-xorm-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4608
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-22 06:37:34 +00:00
Earl Warren 7511ae532e docs: add a PR checklist template (#4564)
Manual testing of  this template can be done with the new playground created for that purpose, see https://code.forgejo.org/forgejo/pr-and-issue-templates/pulls/19.

![image](/attachments/1ee36ae1-669f-47d8-8307-9734faa0dc2a)

## Testing instructions

* Fork https://code.forgejo.org/forgejo/pr-and-issue-templates
* Create a pull request against https://code.forgejo.org/forgejo/pr-and-issue-templates
* See that the commit message is on top and the checklist below it

---

Use cases:

* https://codeberg.org/forgejo/forgejo/pulls/4553
* https://codeberg.org/forgejo/forgejo/pulls/4554

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4564
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
Reviewed-by: thefox <thefox@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
2024-07-22 05:23:54 +00:00
Earl Warren 5a41d902bd Merge pull request 'Lock file maintenance (forgejo)' (#4616) from renovate/forgejo-lock-file-maintenance into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4616
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-22 04:34:15 +00:00
Earl Warren b9272b2923 Merge pull request 'Update renovate to v37.438.2 (forgejo)' (#4615) from renovate/forgejo-renovate into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4615
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-22 04:33:33 +00:00
Renovate Bot fdf07888c3 Lock file maintenance 2024-07-22 00:07:27 +00:00
Renovate Bot 20de7e5fdf Update renovate to v37.438.2 2024-07-22 00:04:06 +00:00
Renovate Bot 1c63c47f5f Update module xorm.io/xorm to v1.3.9 2024-07-21 16:03:40 +00:00