Commit graph

826 commits

Author SHA1 Message Date
a1012112796 f43df2f820
fix reopen logic for agit flow pull request (#26399) (#26613)
Backport #26399

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-08-21 13:13:34 +00:00
Giteabot 1cedf36d30
Fix "issueReposQueryPattern does not match query" (#26556) (#26564)
Backport #26556 by @wolfogre

Fix
`https://github.com/go-gitea/gitea/pull/26545#discussion_r1295734340`

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-17 21:13:00 +08:00
Giteabot 7da85fa0c3
Sync repo's IsEmpty status correctly (#26517) (#26560)
Backport #26517 by @wxiaoguang

Close #26509

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-17 05:12:14 +00:00
Giteabot 0ac8b774e9
Fix typo of RunerOwnerID (#26508) (#26528)
Backport #26508 by @yp05327

Co-authored-by: yp05327 <576951401@qq.com>
2023-08-16 06:28:39 +00:00
Giteabot acc0fd22d8
Add ThreadID parameter for Telegram webhooks (#25996) (#26480)
Backport #25996

Telegram has recently implemented threads (channels) for group chats.

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: neveraskedtoexist <matikot415@gmail.com>
2023-08-14 08:55:17 +08:00
crystal f155cf60d3
Improve profile readme rendering (#25988) (#26453)
manual backport of #25988 to v1.20

- Tell the renderer to use the `document` mode, so it's consistent with
other renderers.
- Use the same padding as `.file-view.markup`, so it's consistent with
other containers that contain markup rendering.
- Resolves https://codeberg.org/forgejo/forgejo/issues/833

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
2023-08-11 10:58:50 +02:00
Lunny Xiao 368e9e0f1b
Add transaction when creating pull request created dirty data (#26259) (#26437)
Backport #26259 

This PR will introduce a transaction on creating pull request so that if
some step failed, it will rollback totally. And there will be no dirty
pull request exist.

Co-authored-by: Giteabot <teabot@gitea.io>
2023-08-11 05:27:23 +00:00
Giteabot ec37ea5945
Fix wrong middleware sequence (#26428) (#26436)
Backport #26428 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-08-10 11:26:22 +00:00
wxiaoguang 8ad331c9d2
Fix admin queue page title and fix CI failures (#26409) (#26421)
Backport #26409

* Fix #26408
* Bypass the data race issue in "ssh" package
2023-08-10 11:04:48 +02:00
Giteabot 2d1a7e1cd4
Introduce ctx.PathParamRaw to avoid incorrect unescaping (#26392) (#26405)
Backport #26392 by @wxiaoguang

Fix #26389

And complete an old TODO: `ctx.Params does un-escaping,..., which is
incorrect.`

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-09 07:31:44 +00:00
Giteabot 060026995a
Fix pull request check list is limited (#26179) (#26245)
Backport #26179 by @CaiCandong

In the original implementation, we can only get the first 30 records of
the commit status (the default paging size), if the commit status is
more than 30, it will lead to the bug #25990. I made the following two
changes.
- On the page, use the ` db.ListOptions{ListAll: true}` parameter
instead of `db.ListOptions{}`
- The `GetLatestCommitStatus` function makes a determination as to
whether or not a pager is being used.

fixed #25990

Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
2023-07-31 08:56:46 +00:00
Giteabot 3a29712e0a
Fix access check for org-level project (#26182) (#26223)
Backport #26182 by @Zettat123

Fix #25934

Add `ignoreGlobal` parameter to `reqUnitAccess` and only check global
disabled units when `ignoreGlobal` is true. So the org-level projects
and user-level projects won't be affected by global disabled
`repo.projects` unit.

Co-authored-by: Zettat123 <zettat123@gmail.com>
2023-07-29 18:50:58 +00:00
Lunny Xiao c598741f01
Display deprecated warning in admin panel pages as well as in the log file (#26094) (#26154)
backport #26094 
Temporily resolve #25915
Related #25994

This PR includes #26007 's changes but have a UI to prompt administrator
about the deprecated settings as well as the log or console warning.
Then users will have enough time to notice the problem and don't have
surprise like before.

<img width="1293" alt="图片"
src="https://github.com/go-gitea/gitea/assets/81045/c33355f0-1ea7-4fb3-ad43-cd23cd15391d">
2023-07-26 09:22:39 +00:00
Giteabot 54a516e9da
Fix the route for pull-request's authors (#26016) (#26018)
Backport #26016 by @wxiaoguang

Close #25906



![image](https://github.com/go-gitea/gitea/assets/2114189/e689f3e1-9a90-46c0-89f4-2d61394d34d3)


Succeeded logs:

```
[I] router: completed GET /root/test/issues/posters?&q=%20&_=1689853025011 for [::1]:59271, 200 OK in 127.7ms @ repo/issue.go:3505(repo.IssuePosters)


[I] router: completed GET /root/test/pulls/posters?&q=%20&_=1689853968204 for [::1]:59269, 200 OK in 94.3ms @ repo/issue.go:3509(repo.PullPosters)
```

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-07-20 13:38:12 +00:00
Giteabot ee47face12
Update path related documents (#25417) (#25982)
Backport #25417 by @wxiaoguang

Update WorkPath/WORK_PATH related documents, remove out-dated
information.

Remove "StaticRootPath" on the admin config display page, because few
end user really need it, it only causes misconfiguration.


![image](https://github.com/go-gitea/gitea/assets/2114189/8095afa4-da76-436b-9e89-2a92c229c01d)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-07-19 09:48:54 +00:00
Giteabot b7d054e4b5
Ignore runs-on with expressions when warning no matched runners (#25917) (#25933)
Backport #25917 by @wolfogre

Fix #25905

Co-authored-by: Jason Song <i@wolfogre.com>
2023-07-18 06:40:28 +00:00
Giteabot 9159964ada
Avoid opening/closing PRs which are already merged (#25883) (#25903)
Backport #25883 by @yp05327

We can select PRs to open/close them by one click, but we forgot to
check whether it is merged.
You can get an opening merged PR:

![image](https://github.com/go-gitea/gitea/assets/18380374/22c2e747-4bb9-4742-a9aa-ef39d5308bc5)

You can confirm this in:
https://try.gitea.io/yp05327/testrepo/pulls/5

Co-authored-by: yp05327 <576951401@qq.com>
2023-07-17 12:14:22 +00:00
Giteabot 36b9a86bd8
Fix incorrect milestone count when provide a keyword (#25880) (#25904)
Backport #25880 by @yp05327

You can confirm this issue in:
https://try.gitea.io/yp05327/testrepo/milestones?state=open&q=a
There's no milestone, but the count is 1.

![image](https://github.com/go-gitea/gitea/assets/18380374/25e58cee-aeeb-43c1-8ec8-6e2ec6bf1284)

Co-authored-by: yp05327 <576951401@qq.com>
2023-07-17 11:12:59 +02:00
Giteabot de8127e78b
fix incorrect repo url when changed the case of ownername (#25733) (#25881)
Backport #25733 by @hiifong

When only the casing of the username changes, update the owner name of the repo,
and keep the original logic consistent with other conditions.

example: assume your username is `gitea`, lowercase username is `gitea` too,
repo URL is `.../gitea/{repo}`.
You change your username to `Gitea`, `GiTea` or something like that,
as long as the lowercase username is still `gitea`, the repo URL remained `.../gitea/{repo}`.

this pr keeps the new username consistent with the repo URL.

Before:

![image](https://github.com/go-gitea/gitea/assets/89133723/84177296-f0ff-4176-84f1-1f9ec3f5b86f)
![image](https://github.com/go-gitea/gitea/assets/89133723/8f8f4a12-ecdd-4dec-af89-85c009b0ccfe)

After: 

![image](https://github.com/go-gitea/gitea/assets/89133723/0564edb6-9467-405a-8cd4-d6f70e6f614b)
![image](https://github.com/go-gitea/gitea/assets/89133723/554ecd6e-e5a1-43bc-a46d-99e988c2ff58)

Co-authored-by: hiifong <i@hiif.ong>
2023-07-15 19:47:24 +02:00
Giteabot 026e745b9e
Fix incorrect release count (#25879) (#25887)
Backport #25879 by @yp05327

Release count is not correct:
https://try.gitea.io/yp05327/testrepo/tags

![image](https://github.com/go-gitea/gitea/assets/18380374/07f97c62-d450-4ccb-b3f2-3e0af9d9fc52)

https://try.gitea.io/yp05327/testrepo/releases

![image](https://github.com/go-gitea/gitea/assets/18380374/6f1d55a4-bb68-445d-84b9-90552a40f403)

https://try.gitea.io/yp05327/testrepo/releases/tag/testtag

![image](https://github.com/go-gitea/gitea/assets/18380374/09ab5d51-52b6-4621-a571-3100198eb260)

We already have correct release count, no need to calculate it again.

c5e187c389/modules/context/repo.go (L547)

Co-authored-by: yp05327 <576951401@qq.com>
2023-07-14 09:32:43 +00:00
Giteabot c334be8284
Fix empty project displayed in issue sidebar (#25802) (#25854)
Backport #25802 by @yp05327

You can confirm this issue in
https://try.gitea.io/yp05327/testrepo/issues/2

Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/1ab476dc-2f9b-4c85-9e87-105fc73af1ee)
After:

![image](https://github.com/go-gitea/gitea/assets/18380374/786f984d-5c27-4eff-b3d9-159f68034ce4)

This issue comes from the change in #25468.
`LoadProject` will always return at least one record, so we use
`ProjectID` to check whether an issue is linked to a project in the old
code.
As other `issue.LoadXXX` functions, we need to check the return value
from `xorm.Session.Get`.

In recent unit tests, we only test `issueList.LoadAttributes()` but
don't test `issue.LoadAttributes()`. So I added a new test for
`issue.LoadAttributes()` in this PR.

Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: Denys Konovalov <privat@denyskon.de>
2023-07-12 19:07:03 +02:00
Giteabot 052e65e63f
Fix incorrect oldest sort in project list (#25806) (#25835)
Backport #25806 by @yp05327

sort type `oldest` should be `Asc`.
Added a test for this.

I see we have `SearchOrderBy` in db model, but we are using many
different ways to define the sort type.
~Maybe we can improve this later.~
↑ Improved in this PR

Co-authored-by: yp05327 <576951401@qq.com>
2023-07-12 13:22:17 +08:00
Giteabot 2b79d3fd52
For API attachments, use API URL (#25639) (#25814)
Backport #25639 by @lunny

Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-07-10 12:56:16 +00:00
Giteabot a5a3c81412
Fix notification list bugs (#25781) (#25787)
Backport #25781 by @wxiaoguang

Fix #25627

1. `ctx.Data["Link"]` should use relative URL but not AppURL
2. The `data-params` is incorrect because it doesn't contain "page". JS
can simply use "window.location.search" to construct the AJAX URL
3. The `data-xxx` and `id` in notification_subscriptions.tmpl were
copied&pasted, they don't have affect.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-07-09 19:15:00 +00:00
Giteabot 03cacf971e
Check ctx.Written() for GetActionIssue (#25698) (#25711)
Backport #25698 by @wolfogre

Fix #25697.

Just avoid panic, maybe there's another bug to trigger this case.

Co-authored-by: Jason Song <i@wolfogre.com>
2023-07-06 21:04:26 +02:00
Giteabot 04eea29ecb
Fix tags header and pretty format numbers (#25624) (#25694)
Backport #25624 by @lunny

This casused by #23465

Before

release disabled
<img width="1320" alt="图片"
src="https://github.com/go-gitea/gitea/assets/81045/190a1c81-daa5-41bc-91ac-c9a0bf629b5f">

release enabled
<img width="1320" alt="图片"
src="https://github.com/go-gitea/gitea/assets/81045/a0372c31-727c-4ee0-a6b9-30e502498d90">

After

release disabled
<img width="1304" alt="图片"
src="https://github.com/go-gitea/gitea/assets/81045/a747ea80-a3d9-4792-8f6d-e8955da78b9e">

release enabled
<img width="1290" alt="图片"
src="https://github.com/go-gitea/gitea/assets/81045/7c0bc43a-9149-4148-859d-35839aeb60ca">

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-07-05 07:08:16 +00:00
silverwind 24e64fe372
Replace interface{} with any (#25686) (#25687)
Same perl replacement as https://github.com/go-gitea/gitea/pull/25686
but for 1.20 to ease future backporting.
2023-07-04 23:41:32 -04:00
Giteabot 5510ed34f1
Fix the nil pointer when assigning issues to projects (#25665) (#25677)
Backport #25665 by @Zettat123

Fixes #25649
Caused by #25468

Co-authored-by: Zettat123 <zettat123@gmail.com>
2023-07-04 10:59:01 +00:00
Giteabot 69bdcf41f3
Log the real reason when authentication fails (but don't show the user) (#25414) (#25660)
Backport #25414 by @lunny

Fix #24498

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-07-03 19:26:36 -04:00
wxiaoguang f51c8e0008
Make "cancel" buttons have proper type in modal forms (#25618) (#25641)
Replace #25446, fix #25438

All "cancel" buttons which do not have "type" should not submit the
form, should not be triggered by "Enter".

This is a complete fix for all modal dialogs.

The major change is "modules/aria/modal.js", "devtest" related code is
for demo/test purpose.
2023-07-03 17:09:38 +08:00
KN4CK3R c27a3af728
Redirect to package after version deletion (#25594) (#25599)
Related #25559

Current behaviour:
1. Deletion of a package version
2. Redirect to the owners package list

New behaviour:
1. Deletion of a package version
2.1. If there are more versions available, redirect to the package again
2.2. If there are no versions available, redirect to the owners package
list
2023-06-30 00:14:57 +02:00
Giteabot 9bbb4d8d6d
Improve loadprojects for issue list (#25468) (#25493) 2023-06-26 02:06:58 +00:00
Giteabot 51789ba12d
Improve wiki sidebar and TOC (#25460) (#25477)
Backport #25460 by @wxiaoguang

Close #20976
Close #20975

1. Fix the bug: the TOC in footer was incorrectly rendered as main
content's TOC
2. Fix the layout: on mobile, the TOC is put above the main content,
while the sidebar is put below the main content
3. Auto collapse the TOC on mobile

ps: many styles of "wiki.css" are moved from old css files, so leave
nits to following PRs.

### for desktop


![image](https://github.com/go-gitea/gitea/assets/2114189/6c84201c-0648-465a-99e6-c53cdaee53c0)

### for mobile


![image](https://github.com/go-gitea/gitea/assets/2114189/9cb4fdfe-b6ab-4e6f-ae82-219ddb8fa27e)

### other changed pages

<details>


![image](https://github.com/go-gitea/gitea/assets/2114189/ef077736-2c3e-4e3d-82fe-d9bf1ebcca98)


![image](https://github.com/go-gitea/gitea/assets/2114189/bb528429-ad5f-4258-a5c4-05f997c624ea)

</details>

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-24 10:16:15 +08:00
wxiaoguang 061b68e995
Refactor path & config system (#25330) (#25416)
Backport #25330

# The problem

There were many "path tricks":

* By default, Gitea uses its program directory as its work path
* Gitea tries to use the "work path" to guess its "custom path" and
"custom conf (app.ini)"
* Users might want to use other directories as work path
* The non-default work path should be passed to Gitea by GITEA_WORK_DIR
or "--work-path"
* But some Gitea processes are started without these values
    * The "serv" process started by OpenSSH server
    * The CLI sub-commands started by site admin
* The paths are guessed by SetCustomPathAndConf again and again
* The default values of "work path / custom path / custom conf" can be
changed when compiling

# The solution

* Use `InitWorkPathAndCommonConfig` to handle these path tricks, and use
test code to cover its behaviors.
* When Gitea's web server runs, write the WORK_PATH to "app.ini", this
value must be the most correct one, because if this value is not right,
users would find that the web UI doesn't work and then they should be
able to fix it.
* Then all other sub-commands can use the WORK_PATH in app.ini to
initialize their paths.
* By the way, when Gitea starts for git protocol, it shouldn't output
any log, otherwise the git protocol gets broken and client blocks
forever.

The "work path" priority is: WORK_PATH in app.ini > cmd arg --work-path
> env var GITEA_WORK_DIR > builtin default

The "app.ini" searching order is: cmd arg --config > cmd arg "work path
/ custom path" > env var "work path / custom path" > builtin default


## ⚠️ BREAKING

If your instance's "work path / custom path / custom conf" doesn't meet
the requirements (eg: work path must be absolute), Gitea will report a
fatal error and exit. You need to set these values according to the
error log.
2023-06-22 16:27:18 +00:00
Giteabot 203fe2841d
Fix Permission in API returned repository struct (#25388) (#25441)
Backport #25388 by @wolfogre

The old code generates `structs.Repository.Permissions` with only
`access.Permission.AccessMode`, however, it should check the units too,
or the value could be incorrect. For example,
`structs.Repository.Permissions.Push` could be false even the doer has
write access to code unit.

Should fix
https://github.com/renovatebot/renovate/issues/14059#issuecomment-1047961128
(Not reported by it, I just found it when I was looking into this bug)

---

Review tips:

The major changes are
- `modules/structs/repo.go`
https://github.com/go-gitea/gitea/pull/25388/files#diff-870406f6857117f8b03611c43fca0ab9ed6d6e76a2d0069a7c1f17e8fa9092f7
- `services/convert/repository.go`
https://github.com/go-gitea/gitea/pull/25388/files#diff-7736f6d2ae894c9edb7729a80ab89aa183b888a26a811a0c1fdebd18726a7101

And other changes are passive.

Co-authored-by: Jason Song <i@wolfogre.com>
2023-06-22 17:01:42 +02:00
sebastian-sauer 30a783879f
Show outdated comments in files changed tab (#24936) (#25428)
Backport #24936

If enabled show a clickable label in the comment. A click on the label
opens the Conversation tab with the comment focussed - there you're able
to view the old diff (or original diff the comment was created on).

**Screenshots**


![image](https://github.com/go-gitea/gitea/assets/1135157/63ab9571-a9ee-4900-9f02-94ab0095f9e7)


![image](https://github.com/go-gitea/gitea/assets/1135157/78f7c225-8d76-46f5-acfd-9b8aab988a6c)

When resolved and outdated:


![image](https://github.com/go-gitea/gitea/assets/1135157/6ece9ebd-c792-4aa5-9c35-628694e9d093)

Option to enable/disable this (stored in user settings - default is
disabled):


![image](https://github.com/go-gitea/gitea/assets/1135157/ed99dfe4-76dc-4c12-bd96-e7e62da50ab5)


![image](https://github.com/go-gitea/gitea/assets/1135157/e837a052-e92e-4a28-906d-9db5bacf93a6)

fixes #24913

Co-authored-by: silverwind <me@silverwind.io>
2023-06-22 08:34:42 +00:00
Giteabot 4908cc9adf
Fix blank dir message when uploading files from web editor (#25391) (#25400)
Backport #25391 by @lunny

Fix #7883

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-06-20 20:28:52 +00:00
Giteabot e5422db5c7
Show if File is Executable (#25287) (#25300)
Backport #25287 by @JakobDev

This simply shows if a File has the executable Permission


![grafik](https://github.com/go-gitea/gitea/assets/15185051/1d50c105-6d55-4ecc-808a-c9cd5559d238)

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-16 09:29:26 +00:00
Giteabot b45ea0280b
Show OAuth2 errors to end users (#25261) (#25271)
Backport #25261 by @wxiaoguang

Partially fix #23936


![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3)


![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2)


![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-15 02:48:36 +00:00
yp05327 d686aa0d31
Fix profile render when the README.md size is larger than 1024 bytes (#25270)
Backport #25131
2023-06-15 01:39:34 +00:00
Giteabot 21cd5c2f3d
Fix all possible setting error related storages and added some tests (#23911) (#25244)
Backport #23911 by @lunny

Follow up #22405

Fix #20703 

This PR rewrites storage configuration read sequences with some breaks
and tests. It becomes more strict than before and also fixed some
inherit problems.

- Move storage's MinioConfig struct into setting, so after the
configuration loading, the values will be stored into the struct but not
still on some section.
- All storages configurations should be stored on one section,
configuration items cannot be overrided by multiple sections. The
prioioty of configuration is `[attachment]` > `[storage.attachments]` |
`[storage.customized]` > `[storage]` > `default`
- For extra override configuration items, currently are `SERVE_DIRECT`,
`MINIO_BASE_PATH`, `MINIO_BUCKET`, which could be configured in another
section. The prioioty of the override configuration is `[attachment]` >
`[storage.attachments]` > `default`.
- Add more tests for storages configurations.
- Update the storage documentations.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-14 08:36:52 +02:00
Giteabot de1d14590d
Fix bug for code search if code is disabled (#25173) (#25181)
Backport #25173 by @lunny

Fix https://github.com/go-gitea/gitea/pull/24189/files#r1224144768

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-06-09 19:32:55 +00:00
Giteabot 1cc63ade82
Fix MilestoneIDs when querying issues (#25125) (#25141)
Backport #25125 by @Zettat123

Fix #25114

Co-authored-by: Zettat123 <zettat123@gmail.com>
2023-06-08 11:03:53 +02:00
zeripath 036fb7861f
Clean up WebAuthn javascript code and remove JQuery code (#22697)
There were several issues with the WebAuthn registration and testing
code and the style
was very old javascript with jquery callbacks.

This PR uses async and fetch to replace the JQuery code.

Ref #22651

Signed-off-by: Andrew Thornton <art27@cantab.net>

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-06 13:29:37 +08:00
Denys Konovalov ca35dec18b
Add ability to set multiple redirect URIs in OAuth application UI (#25072)
OAuth applications can already have multiple redirect URIs if
created/edited over API.

This change allows for setting multiple redirect URIs through the UI as
a comma-separated list (e. g.
`https://example.org/redirect,https://redirect.example.org`)

<details>
<summary>Screenshots</summary>

![Bildschirmfoto vom 2023-06-04
17-14-40](https://github.com/go-gitea/gitea/assets/47871822/2206dc32-e7e4-4953-9ecb-e098890b3f54)
![Bildschirmfoto vom 2023-06-04
17-14-50](https://github.com/go-gitea/gitea/assets/47871822/cd97c73c-9310-44ee-a83a-b927a1ef94da)

</details>

Closes #25068
2023-06-05 15:00:12 +08:00
Jack Hay 18de83b2a3
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
    - `activitypub`
    - `admin` (hidden if user is not a site admin)
    - `misc`
    - `notification`
    - `organization`
    - `package`
    - `issue`
    - `repository`
    - `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
  -  `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
  - `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection

### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">

## tokenRequiresScopes  Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error

## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
   -  _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
   - _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
   - _This should be addressed in this PR_
   - For example: 
   ```go
	m.Group("/users/{username}/orgs", func() {
		m.Get("", reqToken(), org.ListUserOrgs)
		m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
   ```

## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default

Closes #24501
Closes #24799

Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
wxiaoguang 520eb57d76
Use a separate admin page to show global stats, remove actions stat (#25062)
Before, Gitea shows the database table stats on the `admin dashboard`
page.

It has some problems:

* `count(*)` is quite heavy. If tables have many records, this blocks
loading the admin page blocks for a long time
* Some users had even reported issues that they can't visit their admin
page because this page causes blocking or `50x error (reverse proxy
timeout)`
* The `actions` stat is not useful. The table is simply too large. Does
it really matter if it contains 1,000,000 rows or 9,999,999 rows?
* The translation `admin.dashboard.statistic_info` is difficult to
maintain.

So, this PR uses a separate page to show the stats and removes the
`actions` stat.


![image](https://github.com/go-gitea/gitea/assets/2114189/babf7c61-b93b-4a62-bfaa-22983636427e)

## ⚠️ BREAKING

The `actions` Prometheus metrics collector has been removed for the
reasons mentioned beforehand.
Please do not rely on its output anymore.
2023-06-03 22:03:41 +08:00
Denys Konovalov 7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00
Lunny Xiao 5d23c885ed
Fix users cannot visit issue attachment bug (#25019)
Caused by #24362

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-31 19:06:17 +02:00
delvh bf27fc3596
Merge new project templates into one (#24985)
Additionally simplify the `new project` template slightly.

Review hint: Disable whitespace changes.

<details><summary>Before</summary>

## New repo project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/4de977e8-3688-45cd-8832-49b001e6f249)

## Edit repo project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/daaf353f-6c99-48bd-b37a-a3bc64459079)

## New user/org project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/6a5a3be5-f51a-4599-b75c-7adb9710d2fa)

## Edit user/org project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/a4768f49-cf46-4773-8a0f-54dfdcc1c1b8)
</details>

<details><summary>After</summary>

## New repo project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/3d0ac8a0-850a-4743-963c-71c66ef38d07)

## Edit repo project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/6b86a1cd-e360-4a9b-aaf7-af032d0d991a)

## New user/org project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/a7b0964c-e4c7-4924-842a-52a58499bc36)

## Edit user/org project

![grafik](https://github.com/go-gitea/gitea/assets/51889757/0fbc5605-afee-49bd-a44a-8646f8c55681)
</details>

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-31 08:50:18 +02:00