Commit graph

17127 commits

Author SHA1 Message Date
Lunny Xiao 2c802fc8f0
Display friendly error message (#29105) (#29363)
Backport #29105

`ctx.Error` only displays the text but `ctx.ServerError` renders the
usual error page.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a1c0b3a02e54e5fe879dabccb71fba9498b64051)
2024-03-06 12:20:42 +08:00
Giteabot a28d6686fa
Fix validity of the FROM email address not being checked (#29347) (#29360)
Backport #29347 by @carlosfelgueiras

Fixes #27188.
Introduces a check on the installation that tries to parse the FROM
address. If it fails, shows a new error message to the user.

Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 35db5a373babd9af157fd63eeb20d6da53320b73)
2024-03-06 12:20:42 +08:00
Lunny Xiao e4d3067138
Fix project counter in organization/individual profile (#28068) (#29361)
Fix #28052
Backport #28068
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558)

![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a)

![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d)

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 5043ad54c7a0d1dc6bf5f1caf21b4646ec9344d3)
2024-03-06 12:20:42 +08:00
Giteabot 8e2c991b35
Fix tarball/zipball download bug (#29342) (#29352)
Backport #29342 by @Zettat123

Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 829b807a91f9895e3f4b262f688a8d0d9a44caf6)
2024-03-06 12:20:42 +08:00
Giteabot 9da608abad
Don't show third-party JS errors in production builds (#29303) (#29333)
Backport #29303 by @silverwind

So we don't get issues like
https://github.com/go-gitea/gitea/issues/29080 and
https://github.com/go-gitea/gitea/issues/29273 any more. Only active in
[production
builds](https://webpack.js.org/guides/production/#specify-the-mode), in
non-production the errors will still show.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 6ca8cb590d510c98610031675e0a316f95efaf61)
2024-03-06 12:20:42 +08:00
Giteabot c4ac72e6a0
Only log error when tag sync fails (#29295) (#29327)
Backport #29295 by @lunny

Fix #28843

This PR will bypass the pushUpdateTag to database failure when
syncAllTags. An error log will be recorded.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit b78f5fc60f510a58d58535af77c5b424a8b5a660)
2024-03-06 12:20:42 +08:00
Lunny Xiao 790a27f38a
Fix SSPI user creation (#28948) (#29323)
Fixes #28945
Backport #28948

Setting the avatar is wrong and creating a random password is equal to
leave it empty.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 7ea2ffaf166780b7786291f7ff022e3f5b49e8c2)
2024-03-06 12:20:42 +08:00
Earl Warren b837bd81d0
Revert "[CI] pin go v1.21.8 version"
This reverts commit e3698d8662.
2024-03-06 12:18:06 +08:00
Earl Warren 2a2b51c5f7 Merge pull request '[CI] pin go v1.21.8 version' (#2568) from earl-warren/forgejo:wip-v1.21-ci-go-action into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2568
2024-03-06 04:17:23 +00:00
techknowlogick e7448699f6
bump protobuf module (#29617)
(cherry picked from commit 06039bf0b7ec4dffe74ae323b8bbbbedec69d0c8)

Conflicts:
	go.mod
	go.sum
	trivial context conflict
2024-03-06 11:53:02 +08:00
Earl Warren e3698d8662
[CI] pin go v1.21.8 version
Because setup-go fails to pick it up.

Refs: https://github.com/actions/setup-go/issues/462
(cherry picked from commit d7aaefcea9d38ca50a96f34ff42efe954bce4acd)

Conflicts:
	.forgejo/workflows/build-release.yml
	.forgejo/workflows/cascade-setup-end-to-end.yml
	.forgejo/workflows/e2e.yml
	.forgejo/workflows/testing.yml
	trivial context conflict
2024-03-06 11:53:02 +08:00
Gusted 9196f0d618 Merge pull request '[BUG] Ensure HasIssueContentHistory takes into account comment_id' (#2535) from gusted/forgejo-bp-2518 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2535
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-03-01 15:19:38 +00:00
Gusted 8fb027fea5
[BUG] Ensure HasIssueContentHistory takes into account comment_id
- Backport of #2518
- The content history table contains the content history of issues and
comments. For issues they are saved with an comment id of zero.
- If you want to check if the issue has an content history, it should
take into account that SQL has `comment_id = 0`, as it otherwise could
return incorrect results when for example the issue already has an
comment that has an content history.
- Fix the code of `HasIssueContentHistory` to take this into account, it
relied on XORM to generate the SQL from the non-default values of the
struct, this wouldn't generate the `comment_id = 0` SQL as `0` is the
default value of an integer.
- Remove an unncessary log (it's not the responsibility of `models`
code to do logging).
- Adds unit test.
- Resolves #2513

(cherry picked from commit 331fa44956)
2024-03-01 15:48:42 +01:00
Gusted 5d5059f42c Merge pull request '[BUG] Correct changed files for codeowners' (#2519) from gusted/forgejo-bp-2507 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2519
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 23:18:08 +00:00
Gusted 9b70caf798
[BUG] Correct changed files for codeowners
- Backport of #2507
- The CODEOWNER feature relies on the changed files to determine which
reviewers should be added according to the `CODEOWNER` file.
- The current approach was to 'diff' between the base and head branch,
which seems logical but fail in practice when the pull request is out of
date with the base branch. Therefore it should instead diff between the
head branch and the merge base of the head and base branch, so only the
actual affected files by the pull requests are used, the same approach
is used by the diff of an unmerged pull request.
- Add integration testing (for the feature as well).
- Resolves #2458

(cherry picked from commit fb2795b5bb)
2024-02-28 20:13:20 +01:00
Earl Warren ab67eb7d8a Merge pull request '[BUG] Remember topic only in repo search' (#2508) from gusted/forgejo-bp-2489 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2508
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 10:20:12 +00:00
Gusted 9955e38fa2
[BUG] Remember topic only in repo search
- Backport of #2489
- If the user is searching repositories with an specific topic, adding
any other filter option, such as showing unrelevant repositories or
using another sort Forgejo should remember that 'topic only' was set.
- Adds integration test.
- Resolves #2461

(cherry picked from commit b4360d504c)
2024-02-27 23:37:26 +01:00
Gusted da9473cd4d Merge pull request '[BUG] Log FindRenamedBranch error' (#2468) from gusted/forgejo-fix-error into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2468
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-25 15:13:28 +00:00
Gusted 255b60931f
[BUG] Log FindRenamedBranch error
- Fix error string to add an `%v` verb to log the error correctly.
2024-02-25 15:40:18 +01:00
Earl Warren 031822b8fc Merge pull request '[SECURITY] Fix XSS vulnerabilities' (#2434) from earl-warren/forgejo:wip-v1.21-xss into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2434
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-02-22 15:03:20 +00:00
Gusted d3de80b9cc
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
2024-02-22 15:35:04 +01:00
Gusted fe2df46d05
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
2024-02-22 15:04:36 +01:00
Gusted 92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
Earl Warren 5048478147 Merge pull request '[gitea] v1.21 cherry-pick' (#2430) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2430
2024-02-22 13:00:38 +00:00
Zettat123 9a63c6f39a
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075

(cherry picked from commit dcb9c38568dc4e9502fc416de237cce0eac41cba)
2024-02-22 13:10:12 +01:00
Gusted d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
jolheiser 33af169223
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 12:54:34 +01:00
yp05327 47e70bbf0e
Fix gitea-action user avatar broken on edited menu (#29190) (#29307)
Backport #29190

Fix #29178

(cherry picked from commit f80ea95eb538decad4d982ce96f640b18e430393)
2024-02-22 11:07:39 +01:00
wxiaoguang 3a061083d6
Fix missing link on outgoing new release notifications (#29079) (#29300)
Backport #29079

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit c4a86b20a4ecef749caed4e9e1381c1736cb0309)
2024-02-22 11:07:31 +01:00
wxiaoguang 8a2c4e9ff2
Fix debian InRelease Acquire-By-Hash newline (#29204) (#29299)
Backport #29204

Co-authored-by: Robin Schoonover <robin@cornhooves.org>
(cherry picked from commit f634982d237b38e0634c5997612f50230898247e)
2024-02-22 11:07:28 +01:00
wxiaoguang a1fb6a2346
Always write proc-receive hook for all git versions (#29287) (#29291)
Backport #29287

(cherry picked from commit 9379352db638aa99ee9f4a7d2755966f3d866541)
2024-02-22 11:07:23 +01:00
Zettat123 c49dd9de9b
Do not show delete button when time tracker is disabled (#29257) (#29279)
Backport #29257
Fix #29233

The delete button of time logs won't be shown when the time tracker is
disabled.

![image](https://github.com/go-gitea/gitea/assets/15528715/5cc4e0c9-d2f9-4b8f-a2f5-fe202b94c191)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit e940443b276fa4f30633902f025fd2adad1b22de)
2024-02-22 11:07:20 +01:00
Earl Warren 2c567ea193 Merge pull request '[BUG] Initialize Git for hook regeneration' (#2421) from gusted/forgejo-bp-2416 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-21 14:41:45 +00:00
Gusted 2fb2e832c5
[BUG] Initalize Git for hook regeneration
- Backport of #2416
- The hook regeneration code relies on `git.SupportProcReceive` being
set to determine if the `proc-receive` hook should be written, this
variable is set when the git module is initialized.
- Resolves #2414

(cherry picked from commit 815abad84c)
2024-02-21 14:43:43 +01:00
Earl Warren ceca25d374 Merge pull request '[gitea] v1.21 cherry-pick' (#2407) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2407
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-20 15:47:19 +00:00
Earl Warren 44906f85f7 Merge pull request '[SEMVER] 6.0.6+0-gitea-1.21.6' (#2409) from earl-warren/forgejo:wip-v1.21-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2409
2024-02-20 11:22:31 +00:00
Earl Warren 5e31d1f37f
[SEMVER] 6.0.6+0-gitea-1.21.6 2024-02-20 10:41:03 +01:00
6543 8377ecbfe1
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit c01b266d8680a270b1e8067e757ed25be38eea24)
2024-02-20 09:39:02 +01:00
Jason Song 861d0b9689
Do not use lower tag names to find releases/tags (#29261) (#29262)
Backport #29261.

Fix #26090, see
https://github.com/go-gitea/gitea/issues/26090#issuecomment-1952013206

Since `TagName` stores the original tag name and `LowerTagName` stores
the lower tag name, it doesn't make sense to use lowercase tags as
`TagNames` in `FindReleasesOptions`.

5e72526da4/services/repository/push.go (L396-L397)

While the only other usage looks correct:

5e72526da4/routers/web/repo/repo.go (L416)
(cherry picked from commit f79530c50ee1c7833cae13e56531e5d1fd66f5ba)
2024-02-20 09:36:37 +01:00
Tim-Nicas Oelschläger a40762d929
Convert visibility to number (#29226) (#29244)
Backport #29226

Don't throw error while creating user (Fixes #29218)

---

The backport info from Giteabot
https://github.com/go-gitea/gitea/pull/29226#issuecomment-1951341322
needs to specify the version, because the default is v1.18

(cherry picked from commit 39735c43a8b6f7db3b3e3531ca9115a60335d524)
2024-02-20 09:36:28 +01:00
Lunny Xiao 8782275c9c
Fix push to create with capitalize repo name (#29090) (#29206)
Fix #29073
Backport #29090

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 933cc4da642c13b18423be99574944c43cc558c7)
2024-02-20 09:28:32 +01:00
KN4CK3R aced7547c2
Use ghost user if user was not found (#29161) (#29169)
Backport #29161

(cherry picked from commit d823465d94b3b43945eace060000db9334eca52d)
2024-02-20 09:26:13 +01:00
6543 d3846df1f9
Dont load Review if Comment is CommentTypeReviewRequest (#28551) (#29160)
Backport #28551

RequestReview get deleted on review.
So we don't have to try to load them on comments.

(cherry picked from commit 0ac3186267b717bce7076ef44f883df7720d7a2d)
2024-02-20 09:22:26 +01:00
Earl Warren 60a4c05d23 Merge pull request '[BUG] Restrict when to make link absolute in markdown' (#2406) from gusted/forgejo-bp-2403 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2406
Reviewed-by: Otto <otto@codeberg.org>
2024-02-20 07:12:22 +00:00
Gusted 6c100083c2
[BUG] Restrict when to make link absolute in markdown
- Backport of #2403
- In markdown, links are proccessed to be made absolute against the
relevant base in that context. Such that `./src` will be transformed
into `http://example.com/owner/repo/src/branch/main/src`.
- Don't try to make the link absolute if the link has a schema that's
defined in `[markdown].CUSTOM_URL_SCHEMES`, because they can't be made
absolute and doing so could lead to problems (see test case, double
slash was transformed to single slash).
- Adds unit test.
- Resolves https://codeberg.org/Codeberg/Community/issues/1489

(cherry picked from commit 65b9a959b8)
2024-02-19 23:30:12 +01:00
Earl Warren 6c5121aac5 Merge pull request '[GITEA] Fix cancelled migration deletion modal' (#2405) from gusted/forgejo-bp-1805 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2405
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-19 21:55:09 +00:00
Gusted 53460829f7
[GITEA] Fix cancelled migration deletion modal
- Backport of #1805
- https://codeberg.org/forgejo/forgejo/pulls/1473 made that dangerous
actions such as deletion also would need to type in the owner's name.
This was apparently not reflected to the deletion modal for migrations
that failed or were cancelled.
- Resolves #2404

(cherry picked from commit c38dbd6f88)
2024-02-19 21:00:26 +01:00
Gusted 84ef9bba44 Merge pull request '[BUG] Fix relative links on orgmode' (#2391) from gusted/forgejo-bp-2385 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2391
Reviewed-by: Otto <otto@codeberg.org>
2024-02-19 12:29:21 +00:00
Gusted fa700333ba
[BUG] Fix relative links on orgmode
- Backport of #2385
- For regular non-image nonvideo links, they should be made relative,
this was done against `r.Ctx.Links.Base`, but since 637451a45e, that
should instead be done by `SrcLink()` if there's branch information set
in the context, because branch and treepath information are no longer
set in `r.Ctx.Links.Base`.
- This is consistent with how #2166 _fixed_ relative links.
- Media is not affected, `TestRender_Media` test doesn't fail.
- Adds unit tests.
- Ref https://codeberg.org/Codeberg/Community/issues/1485

(cherry picked from commit a2442793d2)
2024-02-19 12:15:40 +01:00
Earl Warren cd8a59e7bd Merge pull request '[BUG] Fix Ctrl+Enter on submitting review comment' (#2374) from gusted/forgejo-bp-2370 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2374
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-17 16:25:27 +00:00