Commit graph

4280 commits

Author SHA1 Message Date
Gusted f5e78e4c20
[SECURITY] Rework long-term authentication
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit e3d6622a63)
(cherry picked from commit fef1a6dac5)
(cherry picked from commit b0c5165145)
(cherry picked from commit 7ad51b9f8d)
(cherry picked from commit 64f053f383)
2023-12-25 11:02:13 +01:00
Gusted 4b3d38d5e1
[DEADCODE] Add deadcode linter
- Add the experimental
[deacode](https://pkg.go.dev/golang.org/x/tools/internal/cmd/deadcode)
linter to Forgejo.
- To deal with false positives that can happen due to build tags or with code
that's currently only referenced by test code, the output of the tool is
compared against a known-good output.
- This commit doesn't make any attempt to remove any deadcode.

(cherry picked from commit ac462279e9)
(cherry picked from commit b5ea6e85ac)
(cherry picked from commit 5915f3643c)

[CLEANUP] Remove deadcode

- This is deadcode since https://codeberg.org/forgejo/forgejo/pulls/1802
removed the usage of it.

(cherry picked from commit d840b9923e)
(cherry picked from commit 9442bab626)
(cherry picked from commit 0de9d18863)
(cherry picked from commit 26abf78374)
(cherry picked from commit 05d3a143c3)
2023-12-25 11:02:06 +01:00
Earl Warren fdd4da111c
[FEAT] allow setting the update date on issues and comments
This field adds the possibility to set the update date when modifying
an issue through the API.

A 'NoAutoDate' in-memory field is added in the Issue struct.
If the update_at field is set, NoAutoDate is set to true and the
Issue's UpdatedUnix field is filled.

That information is passed down to the functions that actually updates
the database, which have been modified to not auto update dates if
requested.

A guard is added to the 'EditIssue' API call, to checks that the
udpate_at date is between the issue's creation date and the current
date (to avoid 'malicious' changes). It also limits the new feature
to project's owners and admins.

(cherry picked from commit c524d33402)

Add a SetIssueUpdateDate() function in services/issue.go

That function is used by some API calls to set the NoAutoDate and
UpdatedUnix fields of an Issue if an updated_at date is provided.

(cherry picked from commit f061caa655)

Add an updated_at field to the API calls related to Issue's Labels.

The update date is applied to the issue's comment created to inform
about the modification of the issue's labels.

(cherry picked from commit ea36cf80f5)

Add an updated_at field to the API call for issue's attachment creation

The update date is applied to the issue's comment created to inform
about the modification of the issue's content, and is set as the
asset creation date.

(cherry picked from commit 96150971ca)

Checking Issue changes, with and without providing an updated_at date

Those unit tests are added:

- TestAPIEditIssueWithAutoDate
- TestAPIEditIssueWithNoAutoDate

- TestAPIAddIssueLabelsWithAutoDate
- TestAPIAddIssueLabelsWithNoAutoDate

- TestAPICreateIssueAttachmentWithAutoDate
- TestAPICreateIssueAttachmentWithNoAutoDate

(cherry picked from commit 4926a5d7a2)

Add an updated_at field to the API call for issue's comment creation

The update date is used as the comment creation date, and is applied to
the issue as the update creation date.

(cherry picked from commit 76c8faecdc)

Add an updated_at field to the API call for issue's comment edition

The update date is used as the comment update date, and is applied to
the issue as an update date.

(cherry picked from commit cf787ad7fd)

Add an updated_at field to the API call for comment's attachment creation

The update date is applied to the comment, and is set as the asset
creation date.

(cherry picked from commit 1e4ff424d3)

Checking Comment changes, with and without providing an updated_at date

Those unit tests are added:

- TestAPICreateCommentWithAutoDate
- TestAPICreateCommentWithNoAutoDate

- TestAPIEditCommentWithAutoDate
- TestAPIEditCommentWithNoAutoDate

- TestAPICreateCommentAttachmentWithAutoDate
- TestAPICreateCommentAttachmentWithNoAutoDate

(cherry picked from commit da932152f1)

Pettier code to set the update time of comments

Now uses sess.AllCols().NoAutoToime().SetExpr("updated_unix", ...)

XORM is smart enough to compose one single SQL UPDATE which all
columns + updated_unix.

(cherry picked from commit 1f6a42808d)

Issue edition: Keep the max of the milestone and issue update dates.

When editing an issue via the API, an updated_at date can be provided.
If the EditIssue call changes the issue's milestone, the milestone's
update date is to be changed accordingly, but only with a greater
value.

This ensures that a milestone's update date is the max of all issue's
update dates.

(cherry picked from commit 8f22ea182e)

Rewrite the 'AutoDate' tests using subtests

Also add a test to check the permissions to set a date, and a test
to check update dates on milestones.

The tests related to 'AutoDate' are:
- TestAPIEditIssueAutoDate
- TestAPIAddIssueLabelsAutoDate
- TestAPIEditIssueMilestoneAutoDate
- TestAPICreateIssueAttachmentAutoDate
- TestAPICreateCommentAutoDate
- TestAPIEditCommentWithDate
- TestAPICreateCommentAttachmentAutoDate

(cherry picked from commit 961fd13c55)
(cherry picked from commit d52f4eea44)
(cherry picked from commit 3540ea2a43)

Conflicts:
	services/issue/issue.go
	https://codeberg.org/forgejo/forgejo/pulls/1415
(cherry picked from commit 56720ade00)

Conflicts:
	routers/api/v1/repo/issue_label.go
	https://codeberg.org/forgejo/forgejo/pulls/1462
(cherry picked from commit 47c78927d6)
(cherry picked from commit 2030f3b965)
(cherry picked from commit f02aeb7698)

Conflicts:
	routers/api/v1/repo/issue_attachment.go
	routers/api/v1/repo/issue_comment_attachment.go
	https://codeberg.org/forgejo/forgejo/pulls/1575
(cherry picked from commit d072525b35)
(cherry picked from commit 8424d0ab3d)
(cherry picked from commit 5cc62caec7)
(cherry picked from commit d6300d5dcd)

[FEAT] allow setting the update date on issues and comments (squash) apply the 'update_at' value to the cross-ref comments (#1676)

[this is a follow-up to PR #764]

When a comment of issue A referencing issue B is added with a forced 'updated_at' date, that date has to be applied to the comment created in issue B.

-----

Comment:

While trying my 'RoundUp migration script', I found that this case was forgotten in PR #764 - my apologies...

I'll try to write a functional test, base on models/issues/issue_xref_test.go

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1676
Co-authored-by: fluzz <fluzz@freedroid.org>
Co-committed-by: fluzz <fluzz@freedroid.org>
(cherry picked from commit ac4f727f63)
(cherry picked from commit 5110476ee9)
(cherry picked from commit 77ba6be1da)
(cherry picked from commit 9c8337b5c4)
(cherry picked from commit 1d689eb686)
(cherry picked from commit 511c519c87)
(cherry picked from commit 2f0b4a8f61)
2023-12-25 11:00:50 +01:00
Earl Warren 75f6716905
[GITEA] add GetFile to config provider
(cherry picked from commit 88d1b53eea)
(cherry picked from commit f63f71afad)
(cherry picked from commit 1f774145fc)
(cherry picked from commit 53e637693b)
(cherry picked from commit 4974cbf10a)
(cherry picked from commit 554bca7fae)
(cherry picked from commit 61b8cf83b9)
(cherry picked from commit d8bcc6f68c)
(cherry picked from commit ee04c34072)
(cherry picked from commit 713153a6d6)
(cherry picked from commit 4e18c4f8bb)
(cherry picked from commit 32be9db12d)
(cherry picked from commit fd50e9b9b4)
(cherry picked from commit 11717b864b)
(cherry picked from commit b70f3e0fa5)
(cherry picked from commit 2d802b2963)
(cherry picked from commit f61e2f71e2)
(cherry picked from commit 31723651c9)
(cherry picked from commit 38f6f703a0)
2023-12-25 11:00:50 +01:00
Earl Warren 5144ae2aa7
[TESTS] verify facts for the admin storage documentation
(cherry picked from commit 57e597bf7e)
(cherry picked from commit 643a2b0e81)
(cherry picked from commit f10faffb4f)
(cherry picked from commit b440c5767e)

[TESTS] verify facts for the admin storage documentation (squash)

(cherry picked from commit d83d8ce57b)
(cherry picked from commit d8855ef27c)
(cherry picked from commit 11230466ec)
(cherry picked from commit b2cdd9d971)
(cherry picked from commit a0a5e78524)
(cherry picked from commit 846413110f)
(cherry picked from commit 72b92d5a78)
(cherry picked from commit 7e039a9427)
(cherry picked from commit 227d42a1b6)
(cherry picked from commit 6488950a9b)
(cherry picked from commit 0285c99774)
(cherry picked from commit 0527bb20db)
(cherry picked from commit b4d3fd43e3)
(cherry picked from commit b45db64300)
(cherry picked from commit 722ab37611)
(cherry picked from commit ff45632b42)
2023-12-25 11:00:50 +01:00
Earl Warren 86e6981a93
[SEMVER] store SemVer in ForgejoSemVer after a database upgrade
(cherry picked from commit b7fe7cf401)
(cherry picked from commit cf339eed4f)
(cherry picked from commit 4f3a16168b)
(cherry picked from commit 6f5bbc53fc)
(cherry picked from commit aca42b422e)
(cherry picked from commit 5a7f7580e5)
(cherry picked from commit 06c383c807)
(cherry picked from commit fe831dcb53)
(cherry picked from commit cd12cd0dbc)
(cherry picked from commit cc79163703)
(cherry picked from commit 0102a5715e)
(cherry picked from commit 403f7520b3)
(cherry picked from commit a3b61510a2)
(cherry picked from commit f83f0f9feb)
(cherry picked from commit fd1c3a6d09)
(cherry picked from commit f7cdc3d6f1)
(cherry picked from commit 060121b644)
(cherry picked from commit 62c847ff02)
(cherry picked from commit 4d051b51c2)
2023-12-25 11:00:50 +01:00
Panagiotis "Ivory" Vasilopoulos 0e08cbc854
[FEAT] Use OpenStreetMap in USER_LOCATION_MAP_URL by default
Follow-up to d58c542579 for Forgejo.

By default, Gitea does not select any map service that can be used
to introduce a 'Show this place on a map' button in the location
field of a user profile. Before I tried upstreaming this change to
Gitea, this was the case in Forgejo. This patch essentially recovers
this functionality, which is nice for public-facing instances and
communities.

Links to original PRs:
- https://codeberg.org/forgejo/forgejo/pulls/1076
- https://github.com/go-gitea/gitea/pull/26214

(cherry picked from commit bb187d5f61)
(cherry picked from commit ce02ef9078)
(cherry picked from commit 6b75c40e25)
(cherry picked from commit 6bc8e9f573)
(cherry picked from commit 063f8afdf7)
(cherry picked from commit c5cc736b72)
(cherry picked from commit 7b1bb4bedc)
(cherry picked from commit 2a022dceb4)
(cherry picked from commit a946c142d2)
(cherry picked from commit 8a4ea0c7ab)
(cherry picked from commit 37bfb05b34)
(cherry picked from commit 12fbbb1754)
(cherry picked from commit abe9de2cd9)
(cherry picked from commit 84db578717)
(cherry picked from commit 1beab7af46)
(cherry picked from commit 8779d505f2)
(cherry picked from commit 21a788f2eb)
(cherry picked from commit a7cc6d1687)
(cherry picked from commit 25f840379f)
(cherry picked from commit 0db65f1122)
2023-12-25 11:00:49 +01:00
Loïc Dachary 1f645aecea
[SECURITY] default to pbkdf2 with 320,000 iterations
(cherry picked from commit 3ea0b287d7)
(cherry picked from commit db8392a8ac)
(cherry picked from commit bd2a5fa292)
(cherry picked from commit 2436acb3d9)
(cherry picked from commit 62f50e1c52)
(cherry picked from commit dba1892521)
(cherry picked from commit 4b58e3b6d4)
(cherry picked from commit 1247056856)
(cherry picked from commit afbaea7009)
(cherry picked from commit dcd4813d96)
(cherry picked from commit b51dc963d1)
(cherry picked from commit 611e895efd)
(cherry picked from commit fd492a03f5)
(cherry picked from commit 2c99991f44)
(cherry picked from commit 7426c1edb4)
(cherry picked from commit 373244f8b2)
(cherry picked from commit 4f6efecdb9)
(cherry picked from commit 61d500808e)
(cherry picked from commit 65f8384b63)
(cherry picked from commit 12ed28e734)
(cherry picked from commit ec6cdc9e1a)
(cherry picked from commit 08653ba051)
(cherry picked from commit d5847c87cb)
(cherry picked from commit 640a96e19b)
(cherry picked from commit 46177814a9)
(cherry picked from commit b0098f5a80)
(cherry picked from commit ce5ddeeca9)
(cherry picked from commit 5736fa1025)
(cherry picked from commit c43ca210fc)
(cherry picked from commit 7f92906bf3)
(cherry picked from commit f726525d2d)
(cherry picked from commit db86c93b0b)
(cherry picked from commit 6751bd93c3)
(cherry picked from commit 74bb523ac9)
(cherry picked from commit 94f9045a81)
(cherry picked from commit 5297eac42d)
(cherry picked from commit 57e3c57c51)
(cherry picked from commit c5cacfee51)
(cherry picked from commit dfa31ee004)
(cherry picked from commit d7d10a76b4)
(cherry picked from commit 62bd4edd46)
(cherry picked from commit 798c211f86)
2023-12-25 11:00:49 +01:00
Earl Warren 8ea00bcff4
[CI] Forgejo Actions based CI for PR & branches
(cherry picked from commit f9d75d4705)
(cherry picked from commit 64f76f4ab2)
(cherry picked from commit 5d02454155)

[CI] Forgejo Actions workflows

(cherry picked from commit 3ff59b5379)
(cherry picked from commit 8af826a6f7)
(cherry picked from commit d7c09d9cc8)

[CI] use the docker label instead of ubuntu-latest

(cherry picked from commit b6a6470db6)

[CI] all tests need compliance before proceeding

(cherry picked from commit b35c496f2c)
(cherry picked from commit 36a4148a8e)
(cherry picked from commit 7ffcffa653)
(cherry picked from commit 8a246d296e)
(cherry picked from commit dd0b6e1826)

[CI] Forgejo Actions based release process (squash) MySQL optimization

Refs: https://codeberg.org/forgejo/forgejo/issues/976
(cherry picked from commit b4b8c489e6)
(cherry picked from commit 1e861db4af)
(cherry picked from commit a6c0e00330)
(cherry picked from commit f97b336465)
(cherry picked from commit 6d65d5f0d6f798556a8f9e547896be03a5ee2f87)
(cherry picked from commit 79bfbadbed)
(cherry picked from commit e86c40a34a)
(cherry picked from commit da0c454adb)
(cherry picked from commit b49d892cda)

[CI] enable minio tests

(cherry picked from commit 4d8f438031)
(cherry picked from commit c4eeb0a61e)

[CI] Forgejo Actions based CI for PR & branches (squash) cleanup

(cherry picked from commit 80eb20e842)
(cherry picked from commit d2ff589858)
(cherry picked from commit f6eedecb67)
(cherry picked from commit cf458091e2)
(cherry picked from commit ddd322cb2d)
(cherry picked from commit f0f5729b64)

Conflicts:
	.github/workflows/pull-db-tests.yml
	https://codeberg.org/forgejo/forgejo/pulls/1573
(cherry picked from commit bb347aedd4)
(cherry picked from commit 0f5ebe8c3e)
(cherry picked from commit 9101cb4715)
(cherry picked from commit ab118fe4ef)

[CI] Forgejo Actions based CI for PR & branches (squash) use node:20-bookworm

No longer use the custom test-env image, it is unecessary technical
debt.

Also upgrade to bitnami/minio:2023.8.31 to align with what Gitea tests

(cherry picked from commit d9b77fd273)
(cherry picked from commit ef8f099f9e)
(cherry picked from commit 6d3c675d20)
(cherry picked from commit fc00ff45f2)
(cherry picked from commit b7f02b9846)
(cherry picked from commit d23d86e567)
(cherry picked from commit e68e65460c)
(cherry picked from commit 96f93a1fdb)
(cherry picked from commit 2ff3080018)
2023-12-25 10:29:14 +01:00
Loïc Dachary d531861850
[CI] Search .forgejo/workflows first
(cherry picked from commit 8b11cab677)
(cherry picked from commit be59270696)
(cherry picked from commit e068f8b191)
(cherry picked from commit 7855bb0c60)
(cherry picked from commit 45c4c8f443)
(cherry picked from commit 89520d67ff)
(cherry picked from commit 15eeb417a4)
(cherry picked from commit 6db53a2643)
(cherry picked from commit 2f689b321f)
(cherry picked from commit 04dc478314c3b4927cca78c354ca46ee217f035a)
(cherry picked from commit a554624f40)
(cherry picked from commit abca05f0d1)
(cherry picked from commit dc13e7eb22)
(cherry picked from commit a161c5740e)
(cherry picked from commit 06d33e2773)
(cherry picked from commit f536275161)
(cherry picked from commit 84ac6f314a)
(cherry picked from commit 1e8126edfc)
(cherry picked from commit 0287ac3416)
(cherry picked from commit 3e5fca2aae)
(cherry picked from commit 03b220bfeb)
(cherry picked from commit 1d033f4aaf)
(cherry picked from commit 2ee9e3e9a3)
(cherry picked from commit d28c284993)
(cherry picked from commit 239df83859)
(cherry picked from commit 96ae0c2e5d)
(cherry picked from commit 49aef71b32)
(cherry picked from commit 38b56d108d)
(cherry picked from commit 30f8d9ec3a)
2023-12-25 10:29:14 +01:00
Earl Warren cd80126a23
[CI] disable meilisearch/elasticsearch test, no server yet in CI
(cherry picked from commit a1381d9146fba42cb97d72d38525fa3e721bfb03)
(cherry picked from commit 74714e0246)
(cherry picked from commit 7749dbfe66)
(cherry picked from commit 4379249711)
(cherry picked from commit a69f55bebf)
(cherry picked from commit 24dd5fbfdb)
(cherry picked from commit dda856d6b8)
(cherry picked from commit bc14f4fa97)
(cherry picked from commit 78fef4f137)
(cherry picked from commit 69e013cc51)
(cherry picked from commit f173c6a273)
(cherry picked from commit 92f9d02547)
(cherry picked from commit c99d51e665)
(cherry picked from commit aa0650fd2b)
(cherry picked from commit 0a8ef91302)
(cherry picked from commit 7b54fe01c2)
(cherry picked from commit 0e154f366f)
(cherry picked from commit 02d88ee16d)
(cherry picked from commit 411924e017)
(cherry picked from commit f4e9ca6db5)
2023-12-25 10:29:14 +01:00
Earl Warren 95c755f4e3
[CI] disable redis test, no redis server yet in CI
(cherry picked from commit e1bbfa3619)
(cherry picked from commit 91245ca917)
(cherry picked from commit 705d0558be)
(cherry picked from commit 9247594970)
(cherry picked from commit 9db1158a48)
(cherry picked from commit 3b36b77d87)
(cherry picked from commit 162fa1d8ae)
(cherry picked from commit d03d0afbb5)
(cherry picked from commit 7b8f92f787)
(cherry picked from commit 035abca969)
(cherry picked from commit a8fbf6bb56)
(cherry picked from commit 3be681d037b07880236cae1aa70245e5eb4d1497)
(cherry picked from commit 7e5d471c83)
(cherry picked from commit 323801d935)
(cherry picked from commit 3fdfe4bfea)
(cherry picked from commit 58a07421a4)
(cherry picked from commit dbb71a4c85)
(cherry picked from commit d442113520)
(cherry picked from commit d3329f01f8)
(cherry picked from commit 069a1d68b8)
(cherry picked from commit 14919e609a)
(cherry picked from commit 49b76be106)
(cherry picked from commit 0fe9f257d2)
(cherry picked from commit b583bebeab)
(cherry picked from commit 5c616e43a6)
(cherry picked from commit 854bcea905)
(cherry picked from commit c2acb181c5)
(cherry picked from commit 1cb07e71d1)
(cherry picked from commit 5d3f09e635)
(cherry picked from commit f8bf1c8d42)
(cherry picked from commit a471ed4576)
2023-12-25 10:29:14 +01:00
Earl Warren e0a6ebfeca
[CLI] implement forgejo-cli
(cherry picked from commit 2555e315f7)
(cherry picked from commit 51b9c9092e)

[CLI] implement forgejo-cli (squash) support initDB

(cherry picked from commit 5c31ae602a)
(cherry picked from commit bbf76489a7)

Conflicts:
	because of d0dbe52e76
	upgrade to https://pkg.go.dev/github.com/urfave/cli/v2
(cherry picked from commit b6c1bcc008)

[CLI] implement forgejo-cli actions

(cherry picked from commit 08be2b226e)
(cherry picked from commit b6cfa88c6e)
(cherry picked from commit 59704200de)

[CLI] implement forgejo-cli actions generate-secret

(cherry picked from commit 6f7905c8ec)
(cherry picked from commit e085d6d273)

[CLI] implement forgejo-cli actions generate-secret (squash) NoInit

(cherry picked from commit 962c944eb2)

[CLI] implement forgejo-cli actions register

(cherry picked from commit 2f95143000)
(cherry picked from commit 42f2f8731e)

[CLI] implement forgejo-cli actions register (squash) no private

Do not go through the private API, directly modify the database

(cherry picked from commit 1ba7c0d39d)

[CLI] implement forgejo-cli actions

(cherry picked from commit 6f7905c8ec)
(cherry picked from commit e085d6d273)

[CLI] implement forgejo-cli actions generate-secret (squash) NoInit

(cherry picked from commit 962c944eb2)
(cherry picked from commit 4c121ef022)

Conflicts:
	cmd/forgejo/actions.go
	tests/integration/cmd_forgejo_actions_test.go
(cherry picked from commit 36997a48e3)

[CLI] implement forgejo-cli actions (squash) restore --version

Refs: https://codeberg.org/forgejo/forgejo/issues/1134
(cherry picked from commit 9739eb52d8)

[CI] implement forgejo-cli (squash) the actions subcommand needs config

(cherry picked from commit def638475122a26082ab3835842c84cd03839154)

Conflicts:
	cmd/main.go
	https://codeberg.org/forgejo/forgejo/pulls/1209
(cherry picked from commit a1758a3910)
(cherry picked from commit 935fa650c7)
(cherry picked from commit cd21026bc9)
(cherry picked from commit 1700b8973a)
(cherry picked from commit 1def42a379)
(cherry picked from commit 839d97521d)
(cherry picked from commit fd8c13be6b)
(cherry picked from commit 588e5d552f)
(cherry picked from commit 151a726620)

[v1.22] [CLI] implement forgejo-cli

https://codeberg.org/forgejo/forgejo/pulls/1541
(cherry picked from commit 46708de7b9)
(cherry picked from commit a8e5c1369e)
(cherry picked from commit c8a32aaf24)

Conflicts:
	models/actions/main_test.go
	https://codeberg.org/forgejo/forgejo/pulls/1656
(cherry picked from commit 79f4553063)
(cherry picked from commit 0379da0cf5)
(cherry picked from commit 331d58c085)
(cherry picked from commit 89705502c4)
(cherry picked from commit 4723d5febf)
(cherry picked from commit e71b260130)
(cherry picked from commit 6a376a5b48)

Conflicts:
	cmd/main.go
	https://codeberg.org/forgejo/forgejo/pulls/1969
(cherry picked from commit 6ba97cf4b5)
2023-12-25 10:25:16 +01:00
Earl Warren 48d5ffe1c0
[CI] DEFAULT_ACTIONS_URL = https://code.forgejo.org
[CI] Revert "Restrict `[actions].DEFAULT_ACTIONS_URL` to only `github` or `self` (#25581)"

This reverts commit 67bd9d4f1e.

(cherry picked from commit 0547e94023)
(cherry picked from commit d21ad654ad)
(cherry picked from commit b905e9d838)
(cherry picked from commit 251a5bf235b1723bc2bc324f9e8c03a8668bb5ae)
(cherry picked from commit b370e47694)
(cherry picked from commit 2cc28d0785)
(cherry picked from commit ed870a39e9)
(cherry picked from commit 7bb0c4654e)
(cherry picked from commit bab1f552c3)

Conflicts:
	custom/conf/app.example.ini
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1413

[CI] DEFAULT_ACTIONS_URL = https://codeberg.org

(cherry picked from commit 52b364ddbd)
(cherry picked from commit 99887cd567)
(cherry picked from commit cd5788782a)
(cherry picked from commit 71c698a704)
(cherry picked from commit 71386241dd)
(cherry picked from commit b7ab05aeac)
(cherry picked from commit e78b9ca59c)
(cherry picked from commit edb3adf460)
(cherry picked from commit 3e40088197)

[BRANDING] DEFAULT_ACTIONS_URL = https://code.forgejo.org

(cherry picked from commit d0e4512c90)
(cherry picked from commit 8ba6e04709)
(cherry picked from commit 6349081044)
(cherry picked from commit e06bd44495)
(cherry picked from commit d58219d8e1)
(cherry picked from commit 052f2c2aa4)
(cherry picked from commit 29dc395386)
(cherry picked from commit 9eef3f59f3)
(cherry picked from commit d650391fed)
(cherry picked from commit c2e6e8c55d)
(cherry picked from commit e28a47741d)

[CI] DEFAULT_ACTIONS_URL support for self & github (squash)

Refs: https://codeberg.org/forgejo/forgejo/issues/1062
(cherry picked from commit 74cc25376e)
(cherry picked from commit 405430708f)
(cherry picked from commit 0274a6dee7f383bcd6b65b995b991b5ab0ee635a)
(cherry picked from commit be5cda0fd0)
(cherry picked from commit d27474849f)
(cherry picked from commit 4a5e9e2d81)
(cherry picked from commit 65b31906b2)
(cherry picked from commit 13cf0b0963)

Conflicts:
	custom/conf/app.example.ini
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1413
(cherry picked from commit 49529badce)

Conflicts:
	custom/conf/app.example.ini
	docs/content/administration/config-cheat-sheet.en-us.md
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1460
(cherry picked from commit 00327b9b1f)
(cherry picked from commit 3b322e43d5)
(cherry picked from commit 492cc52059)

Conflicts:
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1573
(cherry picked from commit 9027b655df)
(cherry picked from commit 4764383028)
(cherry picked from commit fbb00fd1cf)
(cherry picked from commit 417cd6c801)
(cherry picked from commit 6b70773ad8)
(cherry picked from commit 9ba069327d)

Conflicts:
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1827
(cherry picked from commit 727edf19ee)
(cherry picked from commit 689326ce20)
(cherry picked from commit 745d60aec4)
(cherry picked from commit cb4ae4582c)
2023-12-25 10:25:16 +01:00
Lunny Xiao 177cea7c70
Make offline mode as default to no connect external avatar service by default (#28548)
To keep user's privacy, make offline mode as true by default.

Users can still change it from installation ui and app.ini
2023-12-21 07:42:16 +00:00
wxiaoguang e4a24d6727
Fix the issue ref rendering for wiki (#28556)
Fix #28526, regression of 
* #26365

(although the author of #26365 has recent activities, but there is no
response for the regression, so I proposed this quick fix and keep the
fix simple to make it easier to backport to 1.21)
2023-12-20 14:11:59 +00:00
Lunny Xiao 577421691b
Add missing head of lfs client batch (#28550)
ref https://github.com/git-lfs/git-lfs/blob/main/docs/api/batch.md#git-lfs-batch-api
2023-12-20 12:54:34 +01:00
Lunny Xiao e7cb8da2a8
Always enable caches (#28527)
Nowadays, cache will be used on almost everywhere of Gitea and it cannot
be disabled, otherwise some features will become unaviable.

Then I think we can just remove the option for cache enable. That means
cache cannot be disabled.
But of course, we can still use cache configuration to set how should
Gitea use the cache.
2023-12-19 09:29:05 +00:00
Lunny Xiao 4eb2a29910
Improve ObjectFormat interface (#28496)
The 4 functions are duplicated, especially as interface methods. I think
we just need to keep `MustID` the only one and remove other 3.

```
MustID(b []byte) ObjectID
MustIDFromString(s string) ObjectID
NewID(b []byte) (ObjectID, error)
NewIDFromString(s string) (ObjectID, error)
```

Introduced the new interfrace method `ComputeHash` which will replace
the interface `HasherInterface`. Now we don't need to keep two
interfaces.

Reintroduced `git.NewIDFromString` and `git.MustIDFromString`. The new
function will detect the hash length to decide which objectformat of it.
If it's 40, then it's SHA1. If it's 64, then it's SHA256. This will be
right if the commitID is a full one. So the parameter should be always a
full commit id.

@AdamMajer Please review.
2023-12-19 07:20:47 +00:00
Bo-Yi Wu 14ffdf6173
chore(api): support ignore password if login source type is LDAP for creating user API (#28491)
- Modify the `Password` field in `CreateUserOption` struct to remove the
`Required` tag
- Update the `v1_json.tmpl` template to include the `email` field and
remove the `password` field

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2023-12-19 02:32:45 +00:00
wxiaoguang 11f0519ad8
Update go dependencies (#28518)
Update golang.org/x/crypto for CVE-2023-48795 and update other packages.
`go-git` is not updated because it needs time to figure out why some
tests fail.
2023-12-19 09:18:42 +08:00
Earl Warren e02095c5b6
Add orphaned topic consistency check (#28507)
- If a topic has zero repository count, it means that none of the
repositories are using that topic, that would make them 'useless' to
keep. One caveat is that if that topic is going to be used in the
future, it will be added again to the database, but simply with a new
ID.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1964

Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-12-18 15:32:08 +00:00
wxiaoguang 20929edc99
Add option to disable ambiguous unicode characters detection (#28454)
* Close #24483
* Close #28123
* Close #23682
* Close #23149

(maybe more)
2023-12-17 14:38:54 +00:00
Lunny Xiao 408a484224
Adjust object format interface (#28469)
- Remove `ObjectFormatID`
- Remove function `ObjectFormatFromID`.
- Use `Sha1ObjectFormat` directly but not a pointer because it's an
empty struct.
- Store `ObjectFormatName` in `repository` struct
2023-12-17 11:56:08 +00:00
Earl Warren 9a15267871
Initalize stroage for orphaned repository doctor (#28487)
- When a repository is orphaned and has objects stored in any of the
storages such as repository avatar or attachments the delete function
would error, because the storage module wasn't initalized.
- Add code to initialize the storage module.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1954

Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-12-16 12:17:39 +00:00
wxiaoguang 9947af639c
Only use SHA256 feature when git >= 2.42 (#28466)
And fix some comments
2023-12-14 16:51:05 +08:00
Adam Majer cbf923e87b
Abstract hash function usage (#28138)
Refactor Hash interfaces and centralize hash function. This will allow
easier introduction of different hash function later on.

This forms the "no-op" part of the SHA256 enablement patch.
2023-12-13 21:02:00 +00:00
Jack Hay 4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
wxiaoguang f2a309e6c8
Improve doctor cli behavior (#28422)
1. Do not sort the "checks" slice again and again when "Register", it
just wastes CPU when the Gitea instance runs
2. If a check doesn't exist, tell the end user
3. Add some tests
2023-12-11 15:55:10 +00:00
Lunny Xiao 537fa69962
Second part of refactor db.Find (#28194)
Continue of #27798 and move more functions to `db.Find` and `db.Count`.
2023-12-11 16:56:48 +08:00
Adam Majer d9c19899cd
Make gogit Repository.GetBranchNames consistent (#28348) 2023-12-07 12:08:17 -05:00
Lunny Xiao dd30d9d5c0
Remove GetByBean method because sometimes it's danger when query condition parameter is zero and also introduce new generic methods (#28220)
The function `GetByBean` has an obvious defect that when the fields are
empty values, it will be ignored. Then users will get a wrong result
which is possibly used to make a security problem.

To avoid the possibility, this PR removed function `GetByBean` and all
references.
And some new generic functions have been introduced to be used.

The recommand usage like below.

```go
// if query an object according id
obj, err := db.GetByID[Object](ctx, id)
// query with other conditions
obj, err := db.Get[Object](ctx, builder.Eq{"a": a, "b":b})
```
2023-12-07 15:27:36 +08:00
Jason Song beb71f5ef6
Include public repos in doer's dashboard for issue search (#28304)
It will fix #28268 .

<img width="1313" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/cb1e07d5-7a12-4691-a054-8278ba255bfc">

<img width="1318" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/4fd60820-97f1-4c2c-a233-d3671a5039e9">

## ⚠️ BREAKING ⚠️

But need to give up some features:

<img width="1312" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/281c0d51-0e7d-473f-bbed-216e2f645610">

However, such abandonment may fix #28055 .

## Backgroud

When the user switches the dashboard context to an org, it means they
want to search issues in the repos that belong to the org. However, when
they switch to themselves, it means all repos they can access because
they may have created an issue in a public repo that they don't own.

<img width="286" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/182dcd5b-1c20-4725-93af-96e8dfae5b97">

It's a confusing design. Think about this: What does "In your
repositories" mean when the user switches to an org? Repos belong to the
user or the org?

Whatever, it has been broken by #26012 and its following PRs. After the
PR, it searches for issues in repos that the dashboard context user owns
or has been explicitly granted access to, so it causes #28268.

## How to fix it

It's not really difficult to fix it. Just extend the repo scope to
search issues when the dashboard context user is the doer. Since the
user may create issues or be mentioned in any public repo, we can just
set `AllPublic` to true, which is already supported by indexers. The DB
condition will also support it in this PR.

But the real difficulty is how to count the search results grouped by
repos. It's something like "search issues with this keyword and those
filters, and return the total number and the top results. **Then, group
all of them by repo and return the counts of each group.**"

<img width="314" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/5206eb20-f8f5-49b9-b45a-1be2fcf679f4">

Before #26012, it was being done in the DB, but it caused the results to
be incomplete (see the description of #26012).

And to keep this, #26012 implement it in an inefficient way, just count
the issues by repo one by one, so it cannot work when `AllPublic` is
true because it's almost impossible to do this for all public repos.


1bfcdeef4c/modules/indexer/issues/indexer.go (L318-L338)

## Give up unnecessary features

We may can resovle `TODO: use "group by" of the indexer engines to
implement it`, I'm sure it can be done with Elasticsearch, but IIRC,
Bleve and Meilisearch don't support "group by".

And the real question is, does it worth it? Why should we need to know
the counts grouped by repos?

Let me show you my search dashboard on gitea.com.

<img width="1304" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/2bca2d46-6c71-4de1-94cb-0c9af27c62ff">

I never think the long repo list helps anything.

And if we agree to abandon it, things will be much easier. That is this
PR.

## TODO

I know it's important to filter by repos when searching issues. However,
it shouldn't be the way we have it now. It could be implemented like
this.

<img width="1316" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/99ee5f21-cbb5-4dfe-914d-cb796cb79fbe">

The indexers support it well now, but it requires some frontend work,
which I'm not good at. So, I think someone could help do that in another
PR and merge this one to fix the bug first.

Or please block this PR and help to complete it.

Finally, "Switch dashboard context" is also a design that needs
improvement. In my opinion, it can be accomplished by adding filtering
conditions instead of "switching".
2023-12-07 13:26:18 +08:00
wxiaoguang 1e512b800c
Use filepath instead of path to create SQLite3 database file (#28374) 2023-12-06 16:57:52 +00:00
capvor c1b86ecdab
Fix incorrect default value of [attachment].MAX_SIZE (#28373) 2023-12-06 10:59:56 -05:00
Earl Warren 876a0cb3d6
Render PyPi long description as document (#28272)
Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-12-05 15:02:01 +00:00
darrinsmart 38a93a0665
Convert git commit summary to valid UTF8. (#28356)
The summary string ends up in the database, and (at least) MySQL &
PostgreSQL require valid UTF8 strings.

Fixes #28178

Co-authored-by: Darrin Smart <darrin@filmlight.ltd.uk>
2023-12-05 14:34:24 +08:00
KN4CK3R 14354e4f8e
Read previous info from git blame (#28306)
Fixes #28280

Reads the `previous` info from the `git blame` output instead of
calculating it afterwards.
2023-12-01 01:26:52 +00:00
Brecht Van Lommel a7de14e493
Meilisearch: require all query terms to be matched (#28293)
Previously only the first term had to be matched. That default
Meilisearch behavior makes sense for e.g. some kind of autocomplete to
find and select a single result. But for filtering issues it means you
can't narrow down results by adding more terms.

This is also more consistent with other indexers and GitHub.

---

Reference:
https://www.meilisearch.com/docs/reference/api/search#matching-strategy
2023-11-29 23:00:59 +08:00
wxiaoguang b348424c64
Ignore "non-existing" errors when getDirectorySize calculates the size (#28276)
The git command may operate the git directory (add/remove) files in any
time.

So when the code iterates the directory, some files may disappear during
the "walk". All "IsNotExist" errors should be ignored.

Fix #26765
2023-11-29 13:08:58 +08:00
Earl Warren cb8298b717
Ignore temporary files for directory size (#28265)
Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-11-28 21:53:21 +00:00
pitpalme eacce14546
Fix delete-orphaned-repos (#28200)
gitea doctor failed at checking and fixing 'delete-orphaned-repos',
because table name 'user' needs quoting to be correctly recognized by at
least PostgreSQL.

fixes #28199
2023-11-24 14:46:19 +00:00
wxiaoguang 2ac2796a4c
Refactor graceful manager to use shared code (#28073)
Make "windows" and "unix" share as much code as possible. No logic
change.
2023-11-24 14:21:46 +00:00
Earl Warren 1075ff74b5
Use restricted sanitizer for repository description (#28141)
- Currently the repository description uses the same sanitizer as a
normal markdown document. This means that element such as heading and
images are allowed and can be abused.
- Create a minimal restricted sanitizer for the repository description,
which only allows what the postprocessor currently allows, which are
links and emojis.
- Added unit testing.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1202
- Resolves https://codeberg.org/Codeberg/Community/issues/1122

(cherry picked from commit 631c87cc23)

Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-11-23 16:34:25 +00:00
wxiaoguang 7c0ab8b974
Make CORS work for oauth2 handlers (#28184)
Fix #25473

Although there was `m.Post("/login/oauth/access_token", CorsHandler()...`,
it never really worked, because it still lacks the "OPTIONS" handler.
2023-11-23 21:19:26 +08:00
yp05327 a6a674e26a
Add guide page to actions when there's no workflows (#28145)
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/599d40c1-9b8d-4189-9286-c9c36fb780dd)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/848a73d1-aaec-478f-93a7-adcc7ee18907)
2023-11-21 08:27:33 +00:00
Denys Konovalov 816e46ee7c
add skip ci functionality (#28075)
Adds the possibility to skip workflow execution if the commit message
contains a string like [skip ci] or similar.

The default strings are the same as on GitHub, users can also set custom
ones in app.ini

Reference:
https://docs.github.com/en/actions/managing-workflow-runs/skipping-workflow-runs

Close #28020
2023-11-18 13:37:08 +02:00
Nanguan Lin f63b116697
Change default size of attachments and repo files (#28100)
https://github.com/go-gitea/gitea/pull/27946 forgets to change them in
code. Sorry about that.
2023-11-17 11:42:00 +00:00
wxiaoguang 17d246cdcc
Fix incorrect pgsql conn builder behavior (#28085)
Fix #28083 and fix the tests
2023-11-17 02:30:57 +00:00
wxiaoguang 79394b340d
Improve graceful manager code/comment (#28063)
The graceful manager has some bugs (#27643, #28062). This is a
preparation for further fixes.
2023-11-15 22:02:46 +08:00