Commit graph

3619 commits

Author SHA1 Message Date
KN4CK3R 7c11a73833
Fix package access for admins and inactive users (#21580)
I noticed an admin is not allowed to upload packages for other users
because `ctx.IsSigned` was not set.
I added a check for `user.IsActive` and `user.ProhibitLogin` too because
both was not checked. Tests enforce this now.

Co-authored-by: Lauris BH <lauris@nix.lv>
2022-10-24 22:23:25 +03:00
M Hickford 191a74d622
Record OAuth client type at registration (#21316)
The OAuth spec [defines two types of
client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1),
confidential and public. Previously Gitea assumed all clients to be
confidential.

> OAuth defines two client types, based on their ability to authenticate
securely with the authorization server (i.e., ability to
>   maintain the confidentiality of their client credentials):
>
>   confidential
> Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
> restricted access to the client credentials), or capable of secure
client authentication using other means.
>
>   **public
> Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the resource
owner, such as an installed native application or a web browser-based
application), and incapable of secure client authentication via any
other means.**
>
> The client type designation is based on the authorization server's
definition of secure authentication and its acceptable exposure levels
of client credentials. The authorization server SHOULD NOT make
assumptions about the client type.

 https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

> Authorization servers MUST record the client type in the client
registration details in order to identify and process requests
accordingly.

Require PKCE for public clients:
https://datatracker.ietf.org/doc/html/rfc8252#section-8.1

> Authorization servers SHOULD reject authorization requests from native
apps that don't use PKCE by returning an error message

Fixes #21299

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 15:59:24 +08:00
wxiaoguang dcd9fc7ee8
Refactor git command arguments and make all arguments to be safe to be used (#21535)
Follow #21464

Make all git command arguments strictly safe. Most changes are one-to-one replacing, keep all existing logic.
2022-10-23 22:44:45 +08:00
Yarden Shoham 63ebb53fd5
Add link to user profile in markdown mention only if user exists (#21533)
Previously mentioning a user would link to its profile, regardless of
whether the user existed. This change tests if the user exists and only
if it does - a link to its profile is added.

* Fixes #3444

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 01:15:52 +08:00
Yarden Shoham 2c77d4b195
Remove unnecessary debug log (#21536)
It distractingly shows up on unit tests

* Looks like a leftover from #20571

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-22 15:25:34 +08:00
KN4CK3R 1887c95254
Decouple HookTask from Repository (#17940)
At the moment a repository reference is needed for webhooks. With the
upcoming package PR we need to send webhooks without a repository
reference. For example a package is uploaded to an organization. In
theory this enables the usage of webhooks for future user actions.

This PR removes the repository id from `HookTask` and changes how the
hooks are processed (see `services/webhook/deliver.go`). In a follow up
PR I want to remove the usage of the `UniqueQueue´ and replace it with a
normal queue because there is no reason to be unique.

Co-authored-by: 6543 <6543@obermui.de>
2022-10-21 18:21:56 +02:00
Yarden Shoham e828564445
Add color previews in markdown (#21474)
* Resolves #3047

Every time a color code will be in \`backticks`, a cute little color
preview will pop up


[Inspiration](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#supported-color-models)

#### Before

![image](https://user-images.githubusercontent.com/20454870/196631524-298afbbf-d2c8-4018-92a5-0393a693d850.png)

#### After

![image](https://user-images.githubusercontent.com/20454870/196631397-36c561e4-08f5-465a-a36e-76084e30b08a.png)

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-21 20:00:53 +08:00
Lunny Xiao 16cbd5b59c
Fix generating compare link (#21519)
Fix #6318

Co-authored-by: zeripath <art27@cantab.net>
2022-10-21 16:39:26 +08:00
wxiaoguang 0614ae1c44
Remove unnecessary misspell ignore pattern (#21475)
It doesn't make sense to ignore the pattern again and again.
2022-10-18 12:52:25 -04:00
zeripath 716fcfcf72
Make every not exist error unwrappable to a fs.ErrNotExist (#20891)
A lot of our code is repeatedly testing if individual errors are
specific types of Not Exist errors. This is repetitative and unnecesary.
`Unwrap() error` provides a common way of labelling an error as a
NotExist error and we can/should use this.

This PR has chosen to use the common `io/fs` errors e.g.
`fs.ErrNotExist` for our errors. This is in some ways not completely
correct as these are not filesystem errors but it seems like a
reasonable thing to do and would allow us to simplify a lot of our code
to `errors.Is(err, fs.ErrNotExist)` instead of
`package.IsErr...NotExist(err)`

I am open to suggestions to use a different base error - perhaps
`models/db.ErrNotExist` if that would be felt to be better.


Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
2022-10-18 07:50:37 +02:00
6543 18622a0705
probe if sha before exec git (#21467) 2022-10-17 16:40:37 +02:00
Lunny Xiao f860a6d2e4
Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
KN4CK3R cad9adeff4
Display total commit count in hook message (#21400)
Fixes #21379

The commits are capped by `setting.UI.FeedMaxCommitNum` so
`len(commits)` is not the correct number. So this PR adds a new
`TotalCommits` field.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-17 00:22:34 +08:00
Yarden Shoham b9cd6fb703
Add code highlighting in issue titles (#21432)
This changes the rendering logic of issue titles. If a substring in an
issue title is enclosed with a pair of backticks, it'll be rendered with
a monospace font (HTML `code` tag).

* Closes #20887

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2022-10-16 02:24:41 +08:00
wxiaoguang 677af6ac57
Follow improve code quality (#21465)
After some discussion, introduce a new slice `brokenArgs` to make
`gitCmd.Run()` return errors if any dynamic argument is invalid.

Co-authored-by: delvh <dev.lh@web.de>
2022-10-15 14:18:31 +02:00
wxiaoguang d98c5db58f
alternative to PR "improve code quality" (#21464)
This PR doesn't require new git version, and can be backported easily.

Co-authored-by: 6543 <6543@obermui.de>
2022-10-15 12:49:26 +02:00
KN4CK3R 0e58201d1a
Add support for Chocolatey/NuGet v2 API (#21393)
Fixes #21294

This PR adds support for NuGet v2 API.

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-13 18:19:39 +08:00
Clar Fon 42b803554c
Add HEAD fix to gitea doctor (#21352)
Due to a bug in presumably an older version of Gitea, multiple of my
repositories still have their HEADs pointing to a `master` branch while
the default branch on the UI is listed as `main`. This adds a `gitea
doctor` command that will fix all of the HEAD references for repos when
they're not synchronized with the default branch in the DB.

This will help with cloning to ensure that git automatically checks out
the right branch, instead of a nonexistent one.

Note: I'm not sure if I actually need to do more other than add a file
here. Will try testing this out on my server soon.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 12:17:55 -04:00
KN4CK3R 0e57ff7eee
Add generic set type (#21408)
This PR adds a generic set type to get rid of maps used as sets.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 13:18:26 +08:00
KN4CK3R 4dc3b2ec57
Use Name instead of DisplayName in LFS Lock (#21415)
Fixes #21268

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-10-11 21:03:15 -04:00
KN4CK3R 8752d89be7
Redirect to new repository owner (#21398)
Fixes #17655

If you rename `user1` to `user2` and visit `/user1` you get redirected
to `/user2`. But if you visit `/user1/repo` you just get a 404 error.
With this PR the user is redirected to `/user2/repo`.
2022-10-11 19:54:44 +08:00
Lunny Xiao 1428877c37
log real ip of requests from ssh (#21216)
Partially fix #21213.

This PR will get client IP address from SSH_CONNECTION env which should
be the first field of that. And deliver it to the internal API so Gitea
routers could record the real IP from SSH requests.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
2022-10-11 16:57:37 +08:00
Lauris BH b59b0cad0a
Add user/organization code search (#19977)
Fixes #19925 

Screenshots:

![attels](https://user-images.githubusercontent.com/165205/173864718-fe789429-55bc-4cad-808c-9f02f335cddf.png)
2022-10-11 00:12:03 +01:00
zeripath 3ccebf7f40
Stop logging CheckPath returns error: context canceled (#21064)
We should only log CheckPath errors if they are not simply due to
context cancellation - and we should add a little more context to the
error message.

Fix #20709

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-10-10 21:54:30 +01:00
eleith bbbf9a4b93
npm package registry support for bin (#21372)
Fix #21303

npm package.json supports binary packaging:
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#bin

the npm registry documents that the binary references will be attached
to the abbreviated version object:

https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object

unfortunately their api documentation leaves this out:
https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-objectdoc

which is likely to be the reason this was left out in gitea's initial
implementation

this response is critical for npm to install the binary in the `.bin`
folder so as to be included on the users default bin path, resulting in
immediate access to any binaries provided by the package
2022-10-08 13:24:44 +08:00
zeripath 7d2545d183
Add nicer error handling on template compile errors (#21350)
There are repeated issues reported whereby users are unable to interpret
the template errors. This PR adds some (somewhat complex) error handling
to the panic recovery for template renderering but hopefully makes the
interpretation of the error easier.

Reference #21344

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-10-07 22:02:24 +01:00
wxiaoguang c08e42c47e
Refactor parseTreeEntries, speed up tree list (#21368)
Close #20315 (fix the panic when parsing invalid input), Speed up #20231 (use ls-tree without size field)

Introduce ListEntriesRecursiveFast (ls-tree without size) and ListEntriesRecursiveWithSize (ls-tree with size)
2022-10-08 01:20:53 +08:00
Andrew Imeson d94f15c2fd
Make external issue tracker regexp configurable via API (#21338)
Fixes #21336 

Signed-off-by: Andrew Imeson <andrew@andrewimeson.com>
2022-10-07 20:49:30 +08:00
delvh b001812df4
Fix and improve incorrect error messages (#21342)
L
2022-10-06 07:00:54 +01:00
Gennady Kovshenin fd2d5f06b0
Add stat to ToCommit function for speed (#21337)
Calls to ToCommit are very slow due to fetching diffs, analyzing files.
This patch lets us supply `stat` as false to speed fetching a commit
when we don't need the diff.

/v1/repo/commits has a default `stat` set as true now. Set to false to
experience fetching thousands of commits per second instead of 2-5 per
second.
2022-10-06 11:21:04 +08:00
wxiaoguang 8765f139c7
Fix typo in API comment document (#21347)
Close #21307

After the fix:

![image](https://user-images.githubusercontent.com/2114189/194120843-52566b84-6e29-4f91-859a-eb5839c68c54.png)
2022-10-05 21:26:34 +01:00
zeripath 93df41f506
Fix slight bug in katex (#21171)
There is a small bug in #20571 whereby `$a a$b b$` will not be correctly
detected as a math inline block of `a a$b b`. This PR fixes this.

Also reenable test cases as per #21340 

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-05 19:55:36 +01:00
Jason Song a08b484549
Tag list should include draft releases with existing tags (#21263)
Before, a tag for a draft release disappeared in the tag list, fix #21262.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-03 20:05:53 +08:00
Clar Fon 3d10193be2
Allow specifying SECRET_KEY_URI, similar to INTERNAL_TOKEN_URI (#19663)
Only load SECRET_KEY and INTERNAL_TOKEN if they exist.
Never write the config file if the keys do not exist, which was only a fallback for Gitea upgraded from < 1.5

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-02 01:26:33 +08:00
KN4CK3R b7309b8ccb
Add name field for org api (#21270)
related #21205

The field `UserName` is not really usefull for an organization.
This adds a second `Name` field.

The [GitHub API](https://docs.github.com/en/rest/orgs/orgs#get-an-organization) uses `name` too. `UserName` should be deprecated then.
2022-09-29 05:27:33 +02:00
qwerty287 1dfa28ffa5
Add API endpoint to get changed files of a PR (#21177)
This adds an api endpoint `/files` to PRs that allows to get a list of changed files.

built upon #18228, reviews there are included
closes https://github.com/go-gitea/gitea/issues/654

Co-authored-by: Anton Bracke <anton@ju60.de>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-29 04:27:20 +02:00
John Olheiser 8cd3237a9e
Better repo API unit checks (#21130)
This PR would presumably
Fix #20522
Fix #18773
Fix #19069
Fix #21077

Fix #13622

-----

1. Check whether unit type is currently enabled
2. Check if it _will_ be enabled via opt
3. Allow modification as necessary


Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2022-09-28 00:23:58 +02:00
KN4CK3R 904b324716
Fix empty container layer history and UI (#21251)
Fixes #21248
2022-09-27 15:03:24 +02:00
silverwind ec0a06e52c
Upgrade chroma to v2.3.0 (#21259)
The behaviour of `PreventSurroundingPre` has changed in
https://github.com/alecthomas/chroma/pull/618 so that apparently it now
causes line wrapper tags to be no longer emitted, but we need some form
of indication to split the HTML into lines, so I did what
https://github.com/yuin/goldmark-highlighting/pull/33 did and added the
`nopWrapper`.

Maybe there are more elegant solutions but for some reason, just
splitting the HTML string on `\n` did not work.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-26 13:50:03 +08:00
wxiaoguang bb1e0d0aa5
Use en-US as fallback when using other default language (#21200)
Only en-US has complete translations. When use other language as
default, the en-US should still be used as fallback.

Close #21199

### Screenshot


![image](https://user-images.githubusercontent.com/2114189/190882906-b7a83958-0ea2-46c4-9084-42c4f9a239aa.png)

Co-authored-by: Lauris BH <lauris@nix.lv>
2022-09-25 02:00:16 +03:00
Nulo (he/him) cca189ef97
Save files in local storage as umask (#21198)
Go creates temporary files as 600, but sometimes we want the group to be able to read them (for example,
for another user to back up the storage)

This PR applies the umask to the renamed tmp files in local storage.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-24 21:04:14 +08:00
Jack Vine 83680c97a7
NPM Package Registry search API endpoint (#20280)
Close #20098, in the NPM registry API, implemented to match what's described by https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#get-v1search

Currently have only implemented the bare minimum to work with the [Unity Package Manager](https://docs.unity3d.com/Manual/upm-ui.html).

Co-authored-by: Jack Vine <jackv@jack-lemur-suse.cat-prometheus.ts.net>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-24 19:24:33 +08:00
KN4CK3R 0a9a86b943
Respect REQUIRE_SIGNIN_VIEW for packages (#20873)
Fix #20863

When REQUIRE_SIGNIN_VIEW = true, even with public repositories, you can only see them after you login. The packages should not be accessed without login.

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-21 21:01:18 +08:00
6543 c5e88fb03d
[API] teamSearch show teams with no members if user is admin (#21204)
close #21176
2022-09-19 20:02:29 +08:00
wxiaoguang 395f65c65a
Remove unnecessary length check for repo's Description & Website (#21194)
Follows #21119

The manual length check doesn't make sense nowadays:
1. The length check is already done by form's `binding:MaxSize` (then the manual check is unnecessary)
2. The CreateRepository doesn't have such check (then the manual check is inconsistent)

So this PR removes these manual length checks.
2022-09-18 10:35:24 +08:00
wxiaoguang 321964155a
Treat git object mode 40755 as directory (#21195)
Git uses 040000 for tree object, but some users may get 040755 for
unknown reasons

Try to fix #21190
* #21190
2022-09-18 09:31:20 +08:00
JakobDev 548387b2be
Show label description in comments section (#21156)
The labels in the comment section are currently missing the description that all other labels have.
2022-09-16 20:44:00 +08:00
JakobDev 8351172b6e
Limit length of repo description and repo url input fields (#21119)
Both allow only limited characters. If you input more, you will get a error
message. So it make sense to limit the characters of the input fields.

Slightly relax the MaxSize of repo's Description and Website
2022-09-16 15:19:16 +08:00
wxiaoguang 0ba2f53ca1
Passing command line arguments correctly by string slice (#21168)
Using `append(args, strings.Fields(arg)...)` is dangerous, it may
generate incorrect results.

For example: `arg1 "the dangerous"` will be splitted to 3 arguments:
`arg1`, `"the`, `dangerous"`. In some cases the incorrect arguments may
lead to security problems.
2022-09-14 15:59:52 +02:00
sergemedvid e07d089be0
Sort branches and tags by date descending (#21136)
This fixes #5709 and #17316 by changing the order of listed branches
and tags to show the ones with latest commits atop.
It's achieved with changing underlying "show-ref" git command with
"for-each-ref" as suggested in https://stackoverflow.com/a/5188364
Also, it's passing format string so the output matches "show-ref"
command output.

close #5709
close #17316
2022-09-14 14:11:24 +02:00