Commit graph

927 commits

Author SHA1 Message Date
Gusted 5a871f6095
[SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128
2024-08-28 10:33:32 +02:00
Earl Warren 9addaedaf3 Merge pull request '[gitea] week 2024-35 cherry pick (gitea/main -> forgejo)' (#5109) from algernon/wcp/2024-35 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5109
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-27 06:09:19 +00:00
Otto bf65f1e510 Merge pull request 'feat: Trivial default quota configuration' (#5125) from algernon/forgejo:falling-in-reverse into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5125
Reviewed-by: Otto <otto@codeberg.org>
2024-08-27 01:22:41 +00:00
Otto c856f77622 Merge pull request 'Update links affected by the renaming of 'developer' documentation sub-path into 'contributor'' (#5129) from floss4good/forgejo__forgejo:contrib-doc into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5129
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-26 18:50:40 +00:00
Otto e5ea08b38b Merge pull request 'feat: Improve diffs generated by Forgejo' (#5110) from fnetx/better-diffs into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5110
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-26 18:47:21 +00:00
Gusted d623126103 Merge pull request '[PORT] Refactor the usage of batch catfile (gitea#31754)' (#5122) from gusted/forgejo-port-gt-31754 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5122
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 16:04:47 +00:00
floss4good 5879cdc6fa
Update the translator contributing guide from user language settings. 2024-08-26 17:43:35 +03:00
Otto Richter d97e36f6d7 Playwright testing for commit diffs
includes:

- easier repo declaration for playwright tests by @Gusted
- full backend build for pushing Git repos by @Gusted
- playwright testing (which fails with the current diff algorithm, but
  passes with the new)
- disable eslint rule for conditional expect, because it defeats the
  purpose (working around it would result in much more complex test code
  in our cases)
2024-08-26 13:57:42 +02:00
Gergely Nagy 3b70949651
feat: Trivial default quota configuration
This adds a new configuration setting: `[quota.default].TOTAL`, which
will be used if no groups are configured for a particular user. The new
option makes it possible to entirely skip configuring quotas via the API
if all that one wants is a total size.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-26 13:25:34 +02:00
Earl Warren 190b5a3859 Merge pull request '[FIX] Don't allow SSH authentication without ssh executable' (#5123) from gusted/forgejo-prevent-no-ssh into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5123
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 08:03:52 +00:00
Earl Warren e2ae389184 Merge pull request '[CHORE] Move to new sessioner library' (#5090) from gusted/forgejo-sessioner-fork into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5090
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 07:31:56 +00:00
Gusted 1a68d14cf8
[FIX] Don't allow SSH authentication without ssh executable
- Follow up of #4819
- When no `ssh` executable is present, disable the UI and backend bits
that allow the creation of push mirrors that use SSH authentication. As
this feature requires the usage of the `ssh` binary.
- Integration test added.
2024-08-26 08:58:35 +02:00
Gusted b44dcf553c
[TESTS] Fix usage of LoadRepoCommit
It loads the Commit with a temporary open GitRepo. This is incorrect,
the GitRepo should be open as long as the Commit can be used. This
mainly removes the usage of this function as it's not needed.
2024-08-26 08:03:48 +02:00
Otto 32735b1e61 Merge pull request '[TESTS] Move CreateDeclarativeRepo to more accessible location' (#5108) from gusted/forgejo-chore-declerative-repo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5108
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-25 11:15:22 +00:00
Gergely Nagy 0aa3e6e4e4
tests: Use require.NoError in tests picked from Gitea
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-25 13:02:19 +02:00
Lunny Xiao dda53569b1
Fix agit automerge (#31207)
(cherry picked from commit 8b92eba21f5c5cca277b8101ada0ea7a1fb32ae0)
2024-08-25 10:47:37 +02:00
Lunny Xiao bdf477f6ef
Fix actions notify bug (#31866)
Try to fix
https://github.com/go-gitea/gitea/issues/31757#issuecomment-2295131062

(cherry picked from commit 4f5c96627b4622d64593db2d436b1f3befa5f3c3)
2024-08-25 10:41:24 +02:00
Gusted fc40a5e242
[CHORE] Move to new sessioner library
- Moves to a fork of gitea.com/go-chi/session that removed support for
couchbase (and ledis, but that was never made available in Forgejo)
along with other code improvements.
f8ce677595..main
- The rationale for removing Couchbase is quite simple. Its not licensed
under FOSS
license (https://www.couchbase.com/blog/couchbase-adopts-bsl-license/)
and therefore cannot be tested by Forgejo and shouldn't be supported.
This is a similair vein to the removal of MSSQL
support (https://codeberg.org/forgejo/discussions/issues/122)
- A additional benefit is that this reduces the Forgejo binary by ~600Kb.
2024-08-25 03:47:08 +02:00
Gusted f78e397dd6
[TESTS] Move CreateDeclarativeRepo to more accessible location
- This allows `CreateDeclarativeRepo` to be used by other testing
packages such as E2EE testing.
- Removes unused function in `services/webhook/sourcehut/builds_test.go`.
2024-08-25 02:54:43 +02:00
Gusted 4f54918381 Merge pull request 'fix(ui): prevent exceptions on other users' repo migration pages' (#4875) from solomonv/forgejo:fix-migration-guest-exception into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4875
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-24 23:49:20 +00:00
Gusted 5dbacb70f4 Merge pull request 'Allow pushmirror to use publickey authentication' (#4819) from ironmagma/forgejo:publickey-auth-push-mirror into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4819
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-24 16:53:56 +00:00
Otto Richter 00276dfc30 feat(i18n): Branch protection improvements
- adds a header to indicate creating a new rule
  - test that header is different between new and edit form
- consistently avoids colons in the form
- excludes some accessibility checks that require a global solution for
  forms
2024-08-22 22:05:12 +02:00
Earl Warren 3bbd129270 Merge pull request 'Reintroduce tests of updated pull request icons' (#4598) from bramh/forgejo:update-pr-icons into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4598
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-22 16:54:28 +00:00
Bram Hagens 7f62acb4d9 ui: fix go to citation button url (#4597)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4597
Reviewed-by: Ghost <twenty-panda@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Bram Hagens <bram@bramh.me>
Co-committed-by: Bram Hagens <bram@bramh.me>
2024-08-22 15:36:12 +00:00
Bram Hagens d39c8fec8c
ui: update pull request icons
Added a new icon for closed PRs (similar to GitHub, GitLab, etc),
Fixes https://codeberg.org/forgejo/forgejo/issues/4454.

Before:
- https://codeberg.org/attachments/b17c5846-506f-4b32-97c9-03f31c5ff758
- https://codeberg.org/attachments/babcd011-d340-4a9e-94db-ea17ef6d3c2b
- https://codeberg.org/attachments/dbca009a-413e-48ab-84b1-55ad7f4fcd3d

After:
- https://codeberg.org/attachments/3e161f7b-4172-4a8c-a8eb-54bcf81c0cae
- https://codeberg.org/attachments/0c308f7e-25a0-49a3-9c86-1b1f9ab39467
- https://codeberg.org/attachments/b982b6b8-c78a-4332-8269-50d01de834e0

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4455
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Bram Hagens <bram@bramh.me>
Co-committed-by: Bram Hagens <bram@bramh.me>
2024-08-22 17:06:10 +02:00
Philip Peterson 03508b33a8
[FEAT] Allow pushmirror to use publickey authentication
- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by
@Gusted, so it's fine to change copyright holder to Forgejo).
- Add the option to use SSH for push mirrors, this would allow for the
deploy keys feature to be used and not require tokens to be used which
cannot be limited to a specific repository. The private key is stored
encrypted (via the `keying` module) on the database and NEVER given to
the user, to avoid accidental exposure and misuse.
- CAVEAT: This does require the `ssh` binary to be present, which may
not be available in containerized environments, this could be solved by
adding a SSH client into forgejo itself and use the forgejo binary as
SSH command, but should be done in another PR.
- CAVEAT: Mirroring of LFS content is not supported, this would require
the previous stated problem to be solved due to LFS authentication (an
attempt was made at forgejo/forgejo#2544).
- Integration test added.
- Resolves #4416
2024-08-22 17:05:07 +02:00
Earl Warren f19f31ac73
cron task to cleanup dangling container images with version sha256:*
Fixes: https://codeberg.org/forgejo/forgejo/issues/4378
2024-08-22 09:10:15 +02:00
Solomon Victorino a4814bca2d fix(ui): prevent exceptions on other users' repo migration pages
- don't expect the retry button to always be attached
- don't parse status response as JSON when it was a login redirect
- add E2E test
2024-08-21 19:57:08 +00:00
Gusted e3243a9465 Merge pull request 'feat(ui): Add rel="nofollow" to in-list labels' (#5002) from xlii/forgejo:forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5002
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 19:54:59 +00:00
Otto Richter 83d2b3b7fa Implement CSS-only input toggling, refactor related forms
UX/Translation changes:

- new teams: remove redundant tooltips that don't add meaningful information
  - move general information to table fieldset
- new teams: rename "general" to "custom" access for clarity
- new teams: show labels beside options on mobile

Accessibility:

- semantic form elements allow easier navigation (fieldset, mostly)
- improve better labelling of new teams table
- fix accessibility scan issues
- TODO: the parts that "disable" form elements were not yet touched and
  are not really accessible to screenreaders

Technical:

- replace two JavaScript solutions with one CSS standard
- implement a simpler grid (.simple-grid)
- simplify markup
- remove some webhook settings specific CSS

Testing:

- check more form content for accessibility issues
- but exclude tooltips from the scan :(
- reuse existing form tests from previous PR
2024-08-21 15:03:19 +02:00
Otto c20c534b90 Merge pull request 'fix: validate title length when updating an issue' (#4809) from thilinajayanath/forgejo:validate-issue-title-update into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4809
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 12:55:26 +00:00
thilinajayanath 1e922d906f validate the title length when updating an issue and add integration test for issue title update
using middleware validator to validate title length on update

use error name from binding package

add integration test for title update

rebase upstream and update test var name

fix test slice formatting

just a try (#1)

Reviewed-on: https://codeberg.org/thilinajayanath/forgejo/pulls/1
Co-authored-by: Otto Richter <git@otto.splvs.net>
Co-committed-by: Otto Richter <git@otto.splvs.net>

fix errors + add test for 255 char title

fix test domain

fix CSRF token error on test

updaate result struct that's used to decode the json response

add json tags for struct and check changed title when http 200 is received

try to decode the title if the request succeeded

add comment in integration test
2024-08-21 08:56:52 +02:00
Gusted 68cc61b537
Add integration test 2024-08-20 19:09:22 +02:00
Gusted f28cde134e Merge pull request '[UI] Adjust trailing EOL behavior for empty file' (#5013) from gusted/forgejo-adjust-eol into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5013
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 13:42:04 +00:00
Earl Warren c76a73ad35 Merge pull request '[gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#4998) from earl-warren/wcp/2024-34 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4998
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-20 06:32:09 +00:00
Gusted e9a89a188e
[UI] Adjust trailing EOL behavior for empty file
- Follow up #4835
- Currently for empty files (file size is shown in the file header) the
"No EOL" information is being shown, even though it doesn't really
make sense to show that for empty files.
- Add integration test.
- Ref: https://codeberg.org/Codeberg/Community/issues/1612#issuecomment-2169437
2024-08-19 20:23:15 +02:00
Otto 3b8ac4388a Merge pull request 'Refactor grouped forms to semantic HTML' (#4995) from fnetx/refactor-grouped-forms into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4995
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-19 14:53:35 +00:00
Otto Richter c9e402afdc feat(tmpl): Introduce semantic HTML in forms
Modifies forms:

- (new) org team
- (new) repo webhook
- (new) repo protected branch

The forms are not completely rewritten to semantic HTML yet. The focus
of this change was on standard elements, some custom solutions were left
untouched for now.

- swaps the order fo permission radio buttons as per https://codeberg.org/forgejo/forgejo/issues/4983
- uses fieldsets to group related inputs
  - ensures consistent styling across forms
  - can be improved later, e.g. using horizontal lines between sections
- fixes: previous font size of labels was smaller than the font size of the help text
- help text are now part of the label, clicking them now also activates the input
- drop unused CSS (no required checkboxes in grouped class remain)
- playwright testing:
  - move login boilerplate to utils
  - automated form accessibility checking
    - allow defining the scope, because legacy parts of the forms are not yet accessible
  - assert some CSS properties that should not be overriden
- the Makefile adjustment was necessary, because eslint scanned some internal files in the tests/e2e/reports directory
2024-08-19 01:14:18 +02:00
Gusted fe18428806
Fix linting issues 2024-08-18 16:25:13 +02:00
Rowan Bohde ebfdc659d8
render plain text file if the LFS object doesn't exist (#31812)
We had an issue where a repo was using LFS to store a file, but the user
did not push the file. When trying to view the file, Gitea returned a
500 HTTP status code referencing `ErrLFSObjectNotExist`. It appears the
intent was the render this file as plain text, but the conditional was
flipped. I've also added a test to verify that the file is rendered as
plain text.

(cherry picked from commit 1310649331648d747c57a52ea3bc92da85e7d4d1)

Conflicts:
	tests/integration/lfs_view_test.go
  trivial context conflict
2024-08-18 05:58:33 +02:00
Jason Song 7f1db1df3e
Show lock owner instead of repo owner on LFS setting page (#31788)
Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

(cherry picked from commit 0470646d46f90c20f40fde718be6ef8d8c84ee2c)
2024-08-18 05:47:06 +02:00
Gusted 760b99bd5a Merge pull request 'test: fail on unhandled JS exceptions' (#4959) from solomonv/e2e-fail-on-errors into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4959
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-17 00:58:18 +00:00
Earl Warren 24eb401a0a Merge pull request 'Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access' (#4449) from marcellmars/forgejo:forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4449
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-16 12:38:15 +00:00
Solomon Victorino 750deb9367 test: fail on unhandled JS exceptions 2024-08-14 15:35:20 -06:00
Otto b77f45f46b Merge pull request 'Revert "Prevent allow/reject reviews on merged/closed PRs"' (#4907) from caesar/forgejo:revert-no-closed-pr-review into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4907
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-13 23:25:54 +00:00
Otto 01affa0908 Merge pull request 'fix: Run full PR checks on agit push' (#4885) from viceice/forgejo:fix/agit/force-push into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4885
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-13 18:23:40 +00:00
Jason Song a627b885c7
Support compression for Actions logs (#31761)
Support compression for Actions logs to save storage space and
bandwidth. Inspired by
https://github.com/go-gitea/gitea/issues/24256#issuecomment-1521153015

The biggest challenge is that the compression format should support
[seekable](https://github.com/facebook/zstd/blob/dev/contrib/seekable_format/zstd_seekable_compression_format.md).
So when users are viewing a part of the log lines, Gitea doesn't need to
download the whole compressed file and decompress it.

That means gzip cannot help here. And I did research, there aren't too
many choices, like bgzip and xz, but I think zstd is the most popular
one. It has an implementation in Golang with
[zstd](https://github.com/klauspost/compress/tree/master/zstd) and
[zstd-seekable-format-go](https://github.com/SaveTheRbtz/zstd-seekable-format-go),
and what is better is that it has good compatibility: a seekable format
zstd file can be read by a regular zstd reader.

This PR introduces a new package `zstd` to combine and wrap the two
packages, to provide a unified and easy-to-use API.

And a new setting `LOG_COMPRESSION` is added to the config, although I
don't see any reason why not to use compression, I think's it's a good
idea to keep the default with `none` to be consistent with old versions.

`LOG_COMPRESSION` takes effect for only new log files, it adds `.zst` as
an extension to the file name, so Gitea can determine if it needs
decompression according to the file name when reading. Old files will
keep the format since it's not worth converting them, as they will be
cleared after #31735.

<img width="541" alt="image"
src="https://github.com/user-attachments/assets/e9598764-a4e0-4b68-8c2b-f769265183c9">

(cherry picked from commit 33cc5837a655ad544b936d4d040ca36d74092588)

Conflicts:
	assets/go-licenses.json
	go.mod
	go.sum
  resolved with make tidy
2024-08-13 06:51:49 +02:00
Caesar Schinas 65c2595f26
Revert "Prevent allow/reject reviews on merged/closed PRs"
This reverts commit 4ed372af13.
This change from Gitea was not considered by the Forgejo UI team and there is a consensus that it feels like a regression.

The test which was added in that commit is kept and modified to test that reviews can successfully be submitted on closed and merged PRs.

Closes forgejo/design#11
2024-08-12 12:24:52 +01:00
Michael Kriese 2d05e922a2
fix(agit): run full pr checks on force-push 2024-08-12 09:00:41 +02:00
a1012112796 e5f8d144f2
[PORT] Add warning message in merge instructions when AutodetectManualMerge was not enabled (gitea#31805)
---

Conflict resolution: trivial
Things done differently: Improve localization message, use the paragraph
element instead of the div element, fix passing this variable to the
template and add a integration test

(cherry picked from commit 9633f336c87947dc7d2a5e76077a10699ba5e50d)
2024-08-11 19:15:37 +02:00