Commit graph

19403 commits

Author SHA1 Message Date
Earl Warren 15fe4fd175 Merge pull request 'Teach activities.GetFeeds() how to avoid returning duplicates' (#3598) from algernon/forgejo:action-inaction-reaction into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3598
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 18:33:21 +00:00
yp05327 f81890fa95
Add result check in TestAPIEditUser (#29674)
Fix #29514
There are too many usage of `NewRequestWithValues`, so there's no need
to check all of them.
Just one is enough I think.

(cherry picked from commit ecd1d96f494d2400f7659165ff9376354edda395)

Conflicts:
	- tests/integration/api_admin_test.go
	  Conflict resolved by manually applying the change to
	  `full_name`.
2024-05-09 19:26:21 +02:00
0ko 0dc35c9df9 [THEME] Fix some 7.0 missing variables 2024-05-09 21:58:23 +05:00
Gergely Nagy 9cb2aa989a
Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-09 18:33:33 +02:00
Yaroslav Halchenko 2b2fd2728c Add codespell support and fix a good number of typos with its help (#3270)
More about codespell: https://github.com/codespell-project/codespell .

I personally introduced it to dozens if not hundreds of projects already and so far only positive feedback.

```
❯ grep lint-spell Makefile
	@echo " - lint-spell                       lint spelling"
	@echo " - lint-spell-fix                   lint spelling and fix issues"
lint: lint-frontend lint-backend lint-spell
lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix
.PHONY: lint-spell
lint-spell: lint-codespell
.PHONY: lint-spell-fix
lint-spell-fix: lint-codespell-fix
❯ git grep lint- -- .forgejo/
.forgejo/workflows/testing.yml:      - run: make --always-make -j$(nproc) lint-backend checks-backend # ensure the "go-licenses" make target runs
.forgejo/workflows/testing.yml:      - run: make lint-frontend
```
so how would you like me to invoke `lint-codespell` on CI? (without that would be IMHO very suboptimal and let typos sneak in)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Yaroslav Halchenko <debian@onerussian.com>
Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-05-09 13:49:37 +00:00
Earl Warren 06843c1cdc Merge pull request 'Update dependency swagger-ui-dist to v5.17.6' (#3679) from renovate/swagger-ui-dist-5.17.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3679
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:21:21 +00:00
Earl Warren 326d5e6b63 Merge pull request 'Update dependency vue to v3.4.27' (#3680) from renovate/patch-vue-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3680
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:20:21 +00:00
Earl Warren 2ecdffd65c Merge pull request 'Update dependency @playwright/test to v1.44.0' (#3684) from renovate/playwright-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3684
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:17:13 +00:00
Renovate Bot e89e253636 Update dependency @playwright/test to v1.44.0 2024-05-09 02:05:43 +00:00
Renovate Bot 15c0878084 Update dependency vue to v3.4.27 2024-05-09 00:06:36 +00:00
Renovate Bot e71f8b8f7b Update dependency swagger-ui-dist to v5.17.6 2024-05-09 00:06:13 +00:00
Earl Warren 996dbdb0b4 Merge pull request 'Update ghcr.io/visualon/renovate Docker tag to v37.351.2' (#3646) from renovate/ghcr.io-visualon-renovate-37.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3646
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 22:07:13 +00:00
Earl Warren 9ac8bc9328 Merge pull request 'Update module github.com/blevesearch/bleve/v2 to v2.4.0' (#3647) from renovate/github.com-blevesearch-bleve-v2-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3647
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 21:34:21 +00:00
Gergely Nagy f4dd53d79d Fix an incorrect form submission in repo-issue.js (#3675)
This fixes `initRepoPullRequestAllowMaintainerEdit()` to submit the form correctly (as a web form, rather than as JSON payload).

Fixes #3618, cherry picked from gitea#30854.

Co-Authored-By: wxiaoguang <wxiaoguang@gmail.com>

---

Manual testing steps:

- Open a PR against any repository, with the "Allow edits from maintainers" option checked.
- Open the developer console (`Ctrl-Shift-I` on Firefox), and look at the Network tab.
- Visit the PR, find the "Allow edits from maintainers" checkbox, and click it.
- See the developer console, and check that the response says the setting is false.
- Refresh the page *completely* (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is off.
- Click the box again to enable it.
- See the developer console, and check that the response says the setting is true.
- Reload without cache again (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is now on.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3675
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-08 21:14:46 +00:00
Renovate Bot 8e1a6d8e73 Update ghcr.io/visualon/renovate Docker tag to v37.351.2 2024-05-08 20:05:21 +00:00
Earl Warren d3e02eaa89 chore(licenses): make go-license 2024-05-08 19:31:56 +00:00
Renovate Bot 4bff06dafb Update module github.com/blevesearch/bleve/v2 to v2.4.0 2024-05-08 19:31:56 +00:00
Earl Warren 18c8ae844e Merge pull request 'chore(dependency): automerge all JavaScript CI dependencies' (#3676) from earl-warren/forgejo:wip-ci-renovate into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3676
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-05-08 19:31:01 +00:00
Earl Warren 4af9d9b6c3 Merge pull request 'Update dependency @stylistic/eslint-plugin-js to v1.8.1' (#3666) from renovate/linters into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3666
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:45:20 +00:00
Earl Warren bfe4995ed5 Merge pull request 'Update dependency @vue/test-utils to v2.4.6' (#3667) from renovate/vue-test-utils-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3667
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:44:26 +00:00
Earl Warren d4bb667051
chore(dependency): automerge all JavaScript CI dependencies
Make a pass to have a full inventory of JavaScript dependencies that
can be automerged because they only have an impact on the CI. It is
easier than to examine them one by one when an update is proposed.

- add packages:test which indirectly includes packages:jsUnitTest and
  a number of test dependencies such as vitest
- add prefixes for dependencies which are known to be exclusively
  used for testing (playwright, ...)
- add modules

Refs: https://docs.renovatebot.com/presets-packages
2024-05-08 19:32:24 +02:00
Earl Warren 1c3c773dac Merge pull request 'Cumulative English improvements (May 2024)' (#3668) from 0ko/forgejo:i18n-20240508 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3668
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:04:21 +00:00
Renovate Bot 7105e19468 Update dependency @stylistic/eslint-plugin-js to v1.8.1 2024-05-08 16:03:56 +00:00
Earl Warren 7729cb3ecc Merge pull request 'fix(security): CVE-2024-24788 malformed DNS message' (#3671) from earl-warren/forgejo:wip-go-1.22.3 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3671
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-05-08 14:44:52 +00:00
Earl Warren f3045f0519
fix(security): CVE-2024-24788 malformed DNS message
Refs: https://pkg.go.dev/vuln/GO-2024-2824
2024-05-08 14:25:08 +02:00
0ko b11eddfaa8 [I18N] English improvements (May 2024)
- `editor.commit_id_not_matching` was reported by https://codeberg.org/kita. I confirmed the meaning on next.forgejo.org.
- `additional_repo_units_hint` was suggested by https://codeberg.org/leana8959.
2024-05-08 08:58:25 +05:00
Renovate Bot 84224a65ff Update dependency @vue/test-utils to v2.4.6 2024-05-08 02:05:00 +00:00
Earl Warren a2c8fe0370 Merge pull request '[gitea] week 2024-19 cherry pick (gitea-github/main -> forgejo)' (#3639) from earl-warren/wcp/2024-19 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3639
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
2024-05-07 22:47:53 +00:00
Michael Jerger 778dd81615 unused code of the moment 2024-05-07 18:40:27 +02:00
Michael Jerger 1a76664d56 next step on the way to federation 2024-05-07 17:58:13 +02:00
Earl Warren 99d1ae52fc Merge pull request 'Update module github.com/PuerkitoBio/goquery to v1.9.2' (#3634) from renovate/github.com-puerkitobio-goquery-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3634
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-07 11:28:32 +00:00
Earl Warren cae4a5456f
chore(dependency): automerge goquery when the CI passes 2024-05-07 11:57:25 +01:00
Earl Warren 3f6e4af5a9 Merge pull request 'UI: Hide hidden email from own profile, again' (#3636) from n0toose/profile/hide-unhidden-hidden-email into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3636
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-07 10:39:01 +00:00
Earl Warren 420f017bce Merge pull request 'Update module github.com/cosmtrek/air to v1.52.0' (#3650) from renovate/github.com-cosmtrek-air-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3650
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-07 10:10:41 +00:00
Twenty Panda 44895011dc chore(dependencies): switch to air@v1
there are no tests but since Gitea uses @v1 since last month and Gitea
maintainers rely on make watch, it is safe to assume that upgrading is
not broken. Switching to v1 would require less scrutiny on the
upgrades. Even if there is breakage, it can be fixed with minimal
impact on the developer workflow.
2024-05-07 10:11:21 +01:00
Michael Jerger 2177d38e9c feat(federation): validate like activities (#3494)
First step on the way to #1680

The PR will

* accept like request on the api
* validate activity in a first level

You can find

* architecture at: https://codeberg.org/meissa/forgejo/src/branch/forgejo-federated-star/docs/unsure-where-to-put/federation-architecture.md

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3494
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
2024-05-07 07:59:49 +00:00
0ko 8c3511a8b3 Merge pull request 'Allow org members to navigate between the org and the dashboard' (#3642) from 0ko/forgejo:ui-add-org-dashboard-goto into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3642
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-06 03:50:47 +00:00
Renovate Bot 62c3540467 Update module github.com/cosmtrek/air to v1.52.0 2024-05-06 02:05:34 +00:00
0ko b034ab5a8e [UI] Allow org members to navigate between the org and the dashboard
- add a new button to the org view that is only shown to the org members
- add integration test to verify the expected navigatability
- add a new translation string to that button
- fix display style of "View <orgname>" button on the dashboard
- fix gap size between buttons on the org view by utilizing the common class top-right-buttons
2024-05-05 23:14:57 +05:00
Earl Warren 434ef46088 Merge pull request 'Update module gitea.com/go-chi/binding to v0.0.0-20240430071103-39a851e106ed' (#3597) from renovate/gitea.com-go-chi-binding-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3597
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-05 12:15:39 +00:00
Earl Warren 308304e4a4 Merge pull request 'Improve repo filter names' (#3612) from 0ko/forgejo:i18n-filters into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3612
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-05 12:13:40 +00:00
Kemal Zebari e388822e9d
Don't only list code-enabled repositories when using repository API (#30817)
We should be listing all repositories by default.

Fixes #28483.

(cherry picked from commit 9f0ef3621a3b63ccbe93f302a446b67dc54ad725)

Conflict:
   -		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead {
   +		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.HasAccess() {
   because of https://codeberg.org/forgejo/forgejo/pulls/2001
2024-05-05 12:15:40 +01:00
yp05327 6a4bc0289d
Fix no edit history after editing issue's title and content (#30814)
Fix #30807

reuse functions in services

(cherry picked from commit a50026e2f30897904704895362da0fb12c7e5b26)

Conflicts:
	models/issues/issue_update.go
	routers/api/v1/repo/issue.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
2024-05-05 12:15:40 +01:00
wxiaoguang d93d62371c
Ignore useless error message "broken pipe" (#30801)
Fix #30792

(cherry picked from commit 53b55223d167c3fc996dd0278a656f421408ace7)
2024-05-05 12:15:40 +01:00
Bo-Yi Wu b29190c4f0
refactor: merge ListActionTasks func to action.go file (#30811)
Just merge actions.go file to action.go

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
(cherry picked from commit e67fbe4f15cdc544f6bec975de6560556724f098)
2024-05-05 12:15:40 +01:00
Archer 1b088fade6
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
2024-05-05 12:15:40 +01:00
Kemal Zebari 9cd0441cd3
Catch and handle unallowed file type errors in issue attachment API (#30791)
Before, we would just throw 500 if a user passes an attachment that is
not an allowed type. This commit catches this error and throws a 422
instead since this should be considered a validation error.

(cherry picked from commit 872caa17c0a30d95f85ab75c068d606e07bd10b3)

Conflicts:
	tests/integration/api_comment_attachment_test.go
	tests/integration/api_issue_attachment_test.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
2024-05-05 12:15:40 +01:00
silverwind 396f16e7b2
Add hover outline to heatmap squares (#30828)
Makes it easier to use because you see which square is currently
hovered:

<img width="314" alt="Screenshot 2024-05-02 at 15 38 20"
src="https://github.com/go-gitea/gitea/assets/115237/3a15dad1-2259-4f28-9fae-5cf6ad3d8798">

I did try a `scoped` style for this, but that did not work for some
reason.

(cherry picked from commit 6f89d5e3a0886d02ead732005f593ae003f78f78)
2024-05-05 12:15:40 +01:00
silverwind fb693442f5
Remove external API calls in TestPassword (#30716)
The test had a dependency on `https://api.pwnedpasswords.com` which
caused many failures on CI recently:

```
--- FAIL: TestPassword (2.37s)
    pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
FAIL
coverage: 82.9% of statements
```

(cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d)
2024-05-05 12:15:40 +01:00
wxiaoguang ee97bb17ba
Fix issue card layout (#30800)
Fix #30788

(cherry picked from commit 6ff2acc52c976e9d7bb6a5693f8a2365d12400f5)
2024-05-05 12:15:40 +01:00