Commit graph

4938 commits

Author SHA1 Message Date
Lunny Xiao 56971f9ed9
Disable Oauth check if oauth disabled (#32368)
Fix #32367

---------

Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 840ad7eefe2b49ab453b9a89b153a264a8c9f8a2)

Conflicts:
	services/auth/oauth2.go
  trivial context conflict
2024-11-17 12:18:56 +01:00
ChristopherHX 7f51210672
Harden runner updateTask and updateLog api (#32462)
Per proposal https://github.com/go-gitea/gitea/issues/32461

(cherry picked from commit f888e45432ccb86b18e6709fbd25223e07f2c422)
2024-11-17 08:45:37 +01:00
Angel Nunez Mencias 01c9c19536
fmt 2024-11-16 18:12:40 +01:00
angelnu d2dc4fae3a
review changes 2024-11-16 18:12:40 +01:00
angelnu e434ecdaca
check IsCommitExist 2024-11-16 18:12:40 +01:00
Gusted 786dfc7fb8
fix: add ID check for updating push mirror interval
- Ensure that the specified push mirror ID belongs to the requested
repository, otherwise it is possible to modify the intervals of the push
mirrors that do not belong to the requested repository.
- Integration test added.
2024-11-15 10:59:36 +01:00
Gusted 061abe6004
fix: don't show private forks in forks list
- If a repository is forked to a private or limited user/organization,
the fork should not be visible in the list of forks depending on the
doer requesting the list of forks.
- Added integration testing for web and API route.
2024-11-15 10:59:36 +01:00
Gusted 3e3ef76808
fix: require code permissions for branch feed
- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.
2024-11-15 10:59:36 +01:00
Gusted 1ce33aa38d
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.
2024-11-15 10:59:36 +01:00
wxiaoguang 7e1aa8a5cd
[PORT] Refactor DateUtils and merge TimeSince (gitea#32409)
Follow #32383 and #32402

---
Conflict resolution: Magic, painful.

(cherry picked from commit b068dbd40ee3b4dc7d18cdcf168f0c24cea234c0)
2024-11-10 22:23:27 +01:00
Otto 0fb48872ac Merge pull request '[FEAT] Trim spaces from repo names on form submission' (#5822) from gusted/forgejo-trim-spaces-form into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5822
Reviewed-by: Otto <otto@codeberg.org>
2024-11-06 09:16:17 +00:00
Earl Warren 36b18fb6cc Merge pull request '[gitea] week 2024-45 cherry pick (gitea/main -> forgejo)' (#5789) from algernon/wcp/2024-45 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5789
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-06 08:57:43 +00:00
Gusted 310376525b
[CHORE] Use forked binding library
- Use the forked [binding](https://code.forgejo.org/go-chi/binding)
library. This library has two benefits, it removes the usage of
`github.com/goccy/go-json` (has no benefit as the minimo library is also
using it). It adds the `TrimSpace` feature, which will during the
binding part trim the spaces around the value it got from the form, this
is done before validation.
2024-11-05 22:47:34 +01:00
Otto f28e728317 Merge pull request '[PORT] Replace DateTime with proper functions (gitea#32402)' (#5796) from gusted/forgejo-port-dateutils into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5796
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 21:46:29 +00:00
Gusted 25c7c531f5 Merge pull request '[PORT] Refactor the DB migration system slightly (gitea#32344)' (#5793) from gusted/forgejo-port-32344 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5793
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 20:15:11 +00:00
Gusted d5a1188086 Merge pull request 'feat: add partial quoting' (#5677) from gusted/forgejo-partial-qouting into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5677
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 20:13:04 +00:00
Rowan Bohde befafe9a05
improve performance of diffs (#32393)
This has two major changes that significantly reduce the amount of work
done for large diffs:

* Kill a running git process when reaching the maximum number of files
in a diff, preventing it from processing the entire diff.
* When loading a diff with the URL param `file-only=true`, skip loading
stats. This speeds up loading both hidden files of a diff and sections
of a diff when clicking the "Show More" button.

A couple of minor things from profiling are also included:

* Reuse existing repo in `PrepareViewPullInfo` if head and base are the
same.

The performance impact is going to depend heavily on the individual diff
and the hardware it runs on, but when testing locally on a diff changing
100k+ lines over hundreds of files, I'm seeing a roughly 75% reduction
in time to load the result of "Show More"

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 7dcccc3bb19655a6f83dd495ffc332708d0c8678)
2024-11-05 09:39:21 +01:00
Zettat123 6b74043b85
Fix missing signature key error when pulling Docker images with SERVE_DIRECT enabled (#32365)
Fix #28121

I did some tests and found that the `missing signature key` error is
caused by an incorrect `Content-Type` header. Gitea correctly sets the
`Content-Type` header when serving files.

348d1d0f32/routers/api/packages/container/container.go (L712-L717)
However, when `SERVE_DIRECT` is enabled, the `Content-Type` header may
be set to an incorrect value by the storage service. To fix this issue,
we can use query parameters to override response header values.

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
<img width="600px"
src="https://github.com/user-attachments/assets/f2ff90f0-f1df-46f9-9680-b8120222c555"
/>

In this PR, I introduced a new parameter to the `URL` method to support
additional parameters.

```
URL(path, name string, reqParams url.Values) (*url.URL, error)
```

---

Most S3-like services support specifying the content type when storing
objects. However, Gitea always use `application/octet-stream`.
Therefore, I believe we also need to improve the `Save` method to
support storing objects with the correct content type.

b7fb20e73e/modules/storage/minio.go (L214-L221)
(cherry picked from commit 0690cb076bf63f71988a709f62a9c04660b51a4f)

Conflicts:
	- modules/storage/azureblob.go
	  Dropped the change, as we do not support Azure blob storage.
	- modules/storage/helper.go
	  Resolved by adjusting their `discardStorage` to our
	  `DiscardStorage`
	- routers/api/actions/artifacts.go
	  routers/api/actions/artifactsv4.go
	  routers/web/repo/actions/view.go
	  routers/web/repo/download.go
	  Resolved the conflicts by manually adding the new `nil`
	  parameter to the `storage.Attachments.URL()` calls.

	  Originally conflicted due to differences in the if expression
	  above these calls.
2024-11-05 09:33:15 +01:00
Oleksandr Redko 4aa61601c3
refactor: remove redundant err declarations (#32381)
(cherry picked from commit f4d3aaeeb9e1b11c5495e4608a3f52f316c35758)

Conflicts:
	- modules/charset/charset_test.go
	  Resolved by manually changing a `=` to `:=`, as per the
	  original patch. Conflict was due to `require.NoError`.
2024-11-05 09:33:15 +01:00
wxiaoguang 498b5f9867
[PORT] Refactor the DB migration system slightly (gitea#32344)
Introduce "idNumber" for each migration, and clarify the difference
between the migration ID number and database version.

---
Conflict resolution: trivial

(cherry picked from commit d70af38447a759d4a935e315e18efa4dd625f655)
2024-11-03 17:00:48 +01:00
wxiaoguang 171de4d107
[PORT] Fix git error handling (gitea#32401)
---
Conflict resolution: Trivial, for `repo_attributes.go` move where the
`IsErrCanceledOrKilled` needs to happen because of other changes that
happened in this file.

To add some words to this change: It seems to be mostly simplifying the
error handling of git operations.

(cherry picked from commit e524f63d58900557d7d57fc3bcd19d9facc8b8ee)
2024-11-03 16:47:44 +01:00
wxiaoguang f2eabf6308
[PORT] Replace DateTime with DateUtils (gitea#32383)
(cherry picked from commit fec6b3d50072e48bb51c18c5c4ea682dc6319573)
2024-11-03 16:37:01 +01:00
JakobDev 86546fe63e
feat: Add Search to Releases Page 2024-11-02 10:24:35 +01:00
Tom Neuber 68d5cf0e92
Add branch auto deletion for scheduled PRs 2024-10-31 03:49:15 +01:00
Earl Warren 485db0a3ba Merge pull request '[gitea] week 2024-44 cherry pick (gitea/main -> forgejo)' (#5714) from algernon/wcp/2024-44 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5714
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-29 09:05:27 +00:00
Earl Warren e08664c56e Merge pull request 'use constant time check for internal token' (#5719) from earl-warren/forgejo:wip-timing into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5719
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-10-28 06:14:36 +00:00
Gusted 53231bad61
fix(sec): use constant time check for internal token 2024-10-28 06:25:52 +01:00
Gusted 266e0b2ce9
security: add permission check to 'delete branch after merge'
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.
2024-10-28 05:48:10 +01:00
Lunny Xiao 480d565944
Fix disable 2fa bug (#32320)
(cherry picked from commit 2abdbe88b5d16dcb345d27b73f1d9738f2d826dd)
2024-10-27 11:27:40 +01:00
Zettat123 8c79008d6f
Add DISABLE_ORGANIZATIONS_PAGE and DISABLE_CODE_PAGE settings for explore pages and fix an issue related to user search (#32288)
These settings can allow users to only display the repositories explore page.

Thanks to yp05327 and wxiaoguang !

---------

Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 9206fbb55fd28f21720072fce6a36cc22277934c)

Conflicts:
	 - templates/explore/navbar.tmpl
	   Resolved by manually applying the last hunk to our template.
2024-10-27 11:27:40 +01:00
Earl Warren 0e0a153adb Merge pull request 'feat: combine review requests comments' (#5695) from gusted/forgejo-combine-request-review into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5695
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-27 04:49:23 +00:00
Gusted 2c2ac80030 feat: Add partial quoting
- If you select a portion of the comment, `Quote reply` will not only
quote that portion and not copy paste the whole text as it previously
did. This is achieved by using the `@github/quote-selection` package.
- There's preprocessing to ensure Forgejo-flavored markdown syntax is
preserved.
- e2e test added.
- Resolves #1342
2024-10-26 19:15:43 +02:00
Earl Warren 2bdd7cb080 Merge pull request 'Fix boolean inputs in workflow_dispatch' (#5439) from Mai-Lapyst/forgejo:workflow_dispatch-fix-boolean-inputs into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5439
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-26 05:59:50 +00:00
Gusted 8fdc0a7a6c feat: combine review requests comments
- Combine review requests comments similairy how labels comments are
combined. If review requests comments were made within 60 seconds of
each other they will be grouped.
- Integration and unit test added.
- Resolves #2774
2024-10-25 22:57:32 +02:00
Earl Warren c1a08156f8 Merge pull request '[gitea] week 2024-43 cherry pick (gitea/main -> forgejo)' (#5621) from algernon/wcp/2024-43 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5621
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-22 17:37:03 +00:00
Gusted f4a7132a89 fix: don't show truncated comments in RSS/Atom feeds
- When a truncated comment is detected in the RSS/Atom feeds, fetch the
comment from the database and use the original content.
- Added integration test.
- Resolves #5650
2024-10-22 15:15:09 +02:00
Gusted f298bf125a Merge pull request 'fix: use ValidateEmail as binding across web forms' (#5158) from solomonv/consolidate-email-validation into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5158
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-21 14:31:32 +00:00
dragon 95c7599db5 fix arch pkg 2024-10-21 10:08:57 +08:00
6543 f4c2c401ec
API: enhance SearchIssues swagger docs (#32208)
this will result in better api clients generated out of the openapi docs
... for SearchIssues

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit d638067d3cb0a7f69b4d899f65b9be4940bd3e41)
2024-10-20 09:44:18 +02:00
Earl Warren e2354703ed Merge pull request '[gitea] week 2024-42 cherry pick (gitea/main -> forgejo)' (#5543) from earl-warren/wcp/2024-42 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5543
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-19 13:54:24 +00:00
0ko 19ca039486 feat(ui): set your_repositories as the default filter for org dashboards (#5593)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5593
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
2024-10-17 13:24:41 +00:00
Gusted a857007d65
fix: Add server logging for OAuth server errors
Although an error was presented to the user about that there's an
internal server error, the error itself is never logged.

Relevant: https://codeberg.org/Codeberg/Community/issues/1675
2024-10-17 09:13:48 +02:00
Otto 1d13249e17 Merge pull request '[BUG] Don't allow owner team with incorrect unit access' (#5529) from gusted/forgejo-owners-team-description into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5529
Reviewed-by: Otto <otto@codeberg.org>
2024-10-14 19:56:58 +00:00
Earl Warren e299a7f4cd Merge pull request 'fix: don't cancel schedule workflows on push to main branch' (#5470) from Kwonunn/forgejo:dont-cancel-schedule-workflow into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5470
2024-10-13 12:06:02 +00:00
6543 d0af8fe4dc
Allow filtering PRs by poster in the ListPullRequests API (#32209)
as title

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit bdd655f2bde5facada4394f36fe54e364787de7a)
2024-10-13 07:58:01 +03:00
Gusted 9de9034400
[BUG] Don't allow owner team with incorrect unit access
- On editting a team, only update the units if the team isn't the
'Owners' team. Otherwise the 'Owners' team end up having all of their
unit access modes set to 'None'; because the request form doesn't send
over any units, as it's simply not shown in the UI.
- Adds a database inconstency check and fix for the case where the
'Owners' team is affected by this bug.
- Adds unit test.
- Adds integration test.
- Resolves #5528
- Regression of https://github.com/go-gitea/gitea/pull/24012
2024-10-11 14:48:47 +02:00
Lunny Xiao a052d2b602
Fix bug when a token is given public only
Port of https://github.com/go-gitea/gitea/pull/32204

(cherry picked from commit d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e)

Conflicts:
  routers/api/v1/api.go
	services/context/api.go
  trivial context conflicts
2024-10-10 10:41:42 +03:00
Earl Warren 31fc0f66b7 Merge pull request '[gitea] week 2024-41 cherry pick (gitea/main -> forgejo)' (#5477) from earl-warren/wcp/2024-41 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5477
Reviewed-by: Otto <otto@codeberg.org>
2024-10-09 05:02:20 +00:00
JakobDev 1fc5e41592 [Feat]Add link to show all Issues/PullRequests (#4125)
The Issue and PullRequest list has 3 states:
- open: This lists all open Issues/PullRequests
- closed: This lists all closed Issues/PullRequests
- all: This lists all open and closed Issues/PullRequests

If you want to get to the all state, you need to click Open while in open state or Closed while in closed state, which is very unintuitive. This PR adss a third button to get to this state.

![grafik](/attachments/4ff59e4c-e318-40f0-80ba-f921ce098919)

I'm not sure if the eye icon fits well, but I couldn't find a better one.

Tests will be added once #4124 is merged.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4125
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
2024-10-09 04:56:40 +00:00
voltagex d17db93fbf i18n: improve 'Verify' error message, stopgap for #2809 (#5479)
Signed-off-by: Adam Baxter <codeberg@voltagex.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5479
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: voltagex <voltagex@noreply.codeberg.org>
Co-committed-by: voltagex <voltagex@noreply.codeberg.org>
2024-10-07 16:11:07 +00:00