Commit graph

277 commits

Author SHA1 Message Date
Andrew 6dd096b7f0 Two factor authentication support (#630)
* Initial commit for 2FA support

Signed-off-by: Andrew <write@imaginarycode.com>

* Add vendored files

* Add missing depends

* A few clean ups

* Added improvements, proper encryption

* Better encryption key

* Simplify "key" generation

* Make 2FA enrollment page more robust

* Fix typo

* Rename twofa/2FA to TwoFactor

* UNIQUE INDEX -> UNIQUE
2017-01-16 10:14:29 +08:00
Philip Couling 64375d875b Attach to release (#673)
* Moved attachaments POST url from /issues/attachments to /attachments

* Implemented attachment upload on release page

* Implemented downloading attachments on the release page

* Added zip and gzip files to default allowed attachments

* Implemented uploading attachments on edit release

* Renamed UploadIssueAttachment to UploadAttachment
2017-01-15 22:57:00 +08:00
derSuessmann 51d578ff33 Add Keep email private (see issue #571). (#571)
- Add site-wide option DEFAULT_KEEP_EMAIL_PRIVATE.
- Add the new option to the install and admin/config pages.
- Add the new option to app.ini in the service section.
- Add the new option to the settings struct.
- Add English text strings to i18n.
- Add field KeepEmailPrivate to user struct.
- Add field KeepEmailPrivate to user form.
- Add option to UI.
- Add using noreply email address if user has "Keep Email Private".
An email address <LowerName>@<NO_REPLY_ADDRESS> is now used in commit
messages (and hopefully all other git log relevant places). The
change relies on the fact that git commands should use
user.NetGitSig().
- Add hiding of email address in UI, if user has set "Keep Email Private".
- Add condition to show email address only on explore/users and user
pages, if user has not set "Keep Email Private".
- Add noreply email in API if set "Keep Email Private".
- Add a new service setting NO_REPLY_ADDRESS. The value of this
setting is used as the domain part for the user's email address in
git log, iff he decides to keep his email address private.
If the user decides to keep his email address private and this
option is not set 'noreply.example.org' is used, which no MTA
should send email to.

Add NO_REPLY_ADDRESS to conf/app.ini.
2017-01-08 11:12:03 +08:00
Schwobaland c0904f1942 Restrict creating organisations by user (#193)
* restrict creating organizations based on right on user

* revert bindata.go

* reverse vendor lib

* revert goimports change

* set AllowCreateOrganization default value to true

* revert locale

* added default value for AllowCreateOrganization

* fix typo in migration-comment

* fix comment

* add coments in migration
2016-12-31 10:33:30 +08:00
Fabian Zaremba 2e7ccecfe6 Git LFS support v2 (#122)
* Import github.com/git-lfs/lfs-test-server as lfs module base

Imported commit is 3968aac269a77b73924649b9412ae03f7ccd3198

Removed:

Dockerfile CONTRIBUTING.md mgmt* script/ vendor/ kvlogger.go
.dockerignore .gitignore README.md

* Remove config, add JWT support from github.com/mgit-at/lfs-test-server

Imported commit f0cdcc5a01599c5a955dc1bbf683bb4acecdba83

* Add LFS settings

* Add LFS meta object model

* Add LFS routes and initialization

* Import github.com/dgrijalva/jwt-go into vendor/

* Adapt LFS module: handlers, routing, meta store

* Move LFS routes to /user/repo/info/lfs/*

* Add request header checks to LFS BatchHandler / PostHandler

* Implement LFS basic authentication

* Rework JWT secret generation / load

* Implement LFS SSH token authentication with JWT

Specification: https://github.com/github/git-lfs/tree/master/docs/api

* Integrate LFS settings into install process

* Remove LFS objects when repository is deleted

Only removes objects from content store when deleted repo is the only
referencing repository

* Make LFS module stateless

Fixes bug where LFS would not work after installation without
restarting Gitea

* Change 500 'Internal Server Error' to 400 'Bad Request'

* Change sql query to xorm call

* Remove unneeded type from LFS module

* Change internal imports to code.gitea.io/gitea/

* Add Gitea authors copyright

* Change basic auth realm to "gitea-lfs"

* Add unique indexes to LFS model

* Use xorm count function in LFS check on repository delete

* Return io.ReadCloser from content store and close after usage

* Add LFS info to runWeb()

* Export LFS content store base path

* LFS file download from UI

* Work around git-lfs client issue with unauthenticated requests

Returning a dummy Authorization header for unauthenticated requests
lets git-lfs client skip asking for auth credentials
See: https://github.com/github/git-lfs/issues/1088

* Fix unauthenticated UI downloads from public repositories

* Authentication check order, Finish LFS file view logic

* Ignore LFS hooks if installed for current OS user

Fixes Gitea UI actions for repositories tracking LFS files.
Checks for minimum needed git version by parsing the semantic version
string.

* Hide LFS metafile diff from commit view, marking as binary

* Show LFS notice if file in commit view is tracked

* Add notbefore/nbf JWT claim

* Correct lint suggestions - comments for structs and functions

- Add comments to LFS model
- Function comment for GetRandomBytesAsBase64
- LFS server function comments and lint variable suggestion

* Move secret generation code out of conditional

Ensures no LFS code may run with an empty secret

* Do not hand out JWT tokens if LFS server support is disabled
2016-12-26 09:16:37 +08:00
Denis Denisov f0a989c1d0 Correction LDAP validation (#342)
* Correction LDAP username validation

As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it.

* Check for zero length passwords in LDAP module.

According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD.

* Clearing the login/email spaces at the [start/end]
2016-12-12 08:46:51 +08:00
Kim "BKC" Carlbäcker e6cfccdd40 GitHub API Compliance (& linting) 2016-12-02 09:18:15 +01:00
Lunny Xiao ec87a75c00 golint fixed for modules/auth 2016-11-27 21:39:06 +08:00
Bwko 2a449bd4b1 Fix typos 2016-11-21 20:08:21 +01:00
Thibault Meyer ddee4c8b58
Normalize files with gofmt 2016-11-11 13:11:45 +01:00
Sandro Santilli 4247304f5a Update import paths from github.com/go-gitea to code.gitea.io (#135)
- Update import paths from github.com/go-gitea to code.gitea.io
- Fix import path for travis

See https://docs.travis-ci.com/user/languages/go#Go-Import-Path
2016-11-10 17:24:48 +01:00
Sandro Santilli 864d1b1f9f Fix type in unused constant name (#111)
* Write LDAP, SMTP, PAM, DLDAP back to all uppercase

* Fix type in unused constant name

* Other MixCased fixes

* Complete MixerCasing of template constants

* Re uppercase LTS and LDAPS suffixes

* Uppercase JSON suffix in constant names

* Proper case LoginNoType

* Prefix unexported template path constants with "tpl"
2016-11-07 18:58:22 -02:00
Sandro Santilli b7bf9dfd28 more 2016-11-07 17:55:31 +01:00
Sandro Santilli 05fd9d3f09 Security protocols 2016-11-07 17:38:43 +01:00
Matthias Loibl 1f44b01e2a Fix imports found by goimports. 2016-11-05 17:56:35 +01:00
Thomas Boerger f960b776f0
Simply made go vet happy, fixed tags 2016-11-04 23:45:06 +01:00
Rémy Boulanouar 8dc49dc114 Implementation of the feature to redirect to an external issue tracker 2016-11-04 09:06:54 +01:00
Rémy Boulanouar 2d68bd1ef9 Change import reference to match gitea instead of gogs (#37) 2016-11-03 10:29:56 -02:00
Unknwon 643142acab Web editor: support upload files 2016-08-30 05:23:59 -07:00
Unknwon 28cf0e6aaa #3459 code quality improvement 2016-08-29 20:00:06 -07:00
Thibault Meyer 92fb30c526 Load a set of predefined labels (#3459)
* Can use a predefined set of labels

* Change UI

* Fix HTML file indentation

* Avoid reading file from other directory (security issue)

* Apply a better fix

* Remove not used variable

* Merge upstream/develop

* Do modifications

* Raname

* remove binding + rename variable
2016-08-29 19:02:49 -07:00
Unknwon 0114fdcba4 Web editor: improve delete file process 2016-08-28 01:41:44 -07:00
Unknwon f8a48ffaad Web editor: improve code quality 2016-08-24 21:35:03 -07:00
Unknwon 4042d1f0c3 models/issue: improve quality and performance of NewIssue function 2016-08-15 18:40:32 -07:00
Richard Mahn d0a0239bac Squashed commit of the following:
commit 0afcb843d7ffd596991c4885cab768273a6eb42c
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 17:13:29 2016 -0600

    Removed Upload stats as the upload table is just a temporary table

commit 7ecd73ff5535612d79d471409173ee7f1fcfa157
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 08:42:41 2016 -0600

    Fix for CodeMirror mode

commit c29b9ab531e2e7af0fb5db24dc17e51027dd1174
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 08:03:33 2016 -0600

    Made tabbing in editor use spaces

commit 23af384c53206a8a40e11e45bf49d7a149c4adcd
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 07:56:46 2016 -0600

    Fix for data-url

commit cfb8a97591cb6fc0a92e49563b7b764c524db0e9
Merge: 7fc8a89 991ce42
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 07:42:53 2016 -0600

    Merge remote-tracking branch 'gogits/develop' into feature-create-and-edit-repo-file

    Conflicts:
    	modules/bindata/bindata.go
    	public/js/gogs.js

commit 7fc8a89cb495478225b02d613e647f99a1489634
Merge: fd3d86c c03d040
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 07:40:00 2016 -0600

    Merge branch 'feature-create-and-edit-repo-file' of github.com:richmahn/gogs into feature-create-and-edit-repo-file

commit fd3d86ca6bbc02cfda566a504ffd6b03db4f75ef
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Sun Jul 31 07:39:44 2016 -0600

    Code cleanup

commit c03d0401c1049eeeccc32ab1f9c3303c130be5ee
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Fri Jul 29 15:38:23 2016 -0600

    Code cleanup

commit 98e1206ccf9f9a4503c020e3a7830cf9f861dfae
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Thu Jul 28 18:36:01 2016 -0600

    Code cleanup and fixes

commit c2895dc742f25f8412879c9fa15e18f27f42f194
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Thu Jul 28 18:24:04 2016 -0600

    Fixes per Unknwon's requests

commit 6aa7e46b21ad4c96e562daa2eac26a8fb408f8ef
Merge: 889e9fa ad7ea88
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Thu Jul 28 17:13:43 2016 -0600

    Merge remote-tracking branch 'gogits/develop' into feature-create-and-edit-repo-file

    Conflicts:
    	modules/bindata/bindata.go
    	modules/setting/setting.go

commit 889e9faf1bd8559a4979c8f46005d488c1a234d4
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Fri Jul 22 14:09:18 2016 -0600

    Fix in gogs.js

commit 47603edf223f147b114be65f3bd27bc1e88827a5
Merge: bb57912 cf85e9e
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Fri Jul 22 14:07:36 2016 -0600

    Merge remote-tracking branch 'gogits/develop' into feature-create-and-edit-repo-file

    Conflicts:
    	modules/bindata/bindata.go
    	public/js/gogs.js

commit bb5791255867a71c11a77b639db050ad09c597a4
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Fri Jul 22 14:02:18 2016 -0600

    Update for using CodeMirror mode addon

commit d10d128c51039be19e2af9c66c63db66a9f2ec6d
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Tue Jul 19 16:12:57 2016 -0600

    Update for Edit

commit 34a34982025144e3225e389f7849eb6273c1d576
Merge: fa1b752 1c7dcdd
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Tue Jul 19 11:52:02 2016 -0600

    Merge remote-tracking branch 'gogits/develop' into feature-create-and-edit-repo-file

    Conflicts:
    	modules/bindata/bindata.go

commit fa1b752be29cd455c5184ddac2ffe80b3489763e
Author: Richard Mahn <richard_mahn@wycliffeassociates.org>
Date:   Fri Jul 15 18:35:42 2016 -0600

    Feature for editing, creating, uploading and deleting files
2016-08-14 23:52:24 -07:00
Unknwon 3f7f4852ef #2246 fully support of webhooks for pull request 2016-08-14 03:32:24 -07:00
Sandro Santilli 90dd0657b5 Add support for federated avatars (#3320)
* Add support for federated avatars

Fixes #3105

Removes avatar fetching duplication code
Adds an "Enable Federated Avatar" checkbox in user settings
(defaults to unchecked)

Moves avatar settings all in the same form, making
local and remote avatars mutually exclusive

Renames UploadAvatarForm to AvatarForm
as it's not anymore only for uploading

* Run gofmt on all modified files

* Move Avatar form in its own page

* Add go-libravatar dependency to vendor/ dir

Hopefully helps with accepting the contribution.
See also #3214

* Revert "Add go-libravatar dependency to vendor/ dir"

This reverts commit a8cb93ae640bbb90f7d25012fc257bda9fae9b82.

* Make federated avatar setting a global configuration

Removes the per-user setting

* Move avatar handling back to base tool, disable federated avatar in offline mode

* Format, handle error

* Properly set fallback host

* Use unsupported github.com mirror for importing go-libravatar

* Remove comment showing life exists outside of github.com

... pity, but contribution would not be accepted otherwise

* Use Combo for Get and Post methods over /avatar

* FEDERATED_AVATAR -> ENABLE_FEDERATED_AVATAR

* Fix persistance of federated avatar lookup checkbox at install time

* Federated Avatars -> Enable Federated Avatars

* Use len(string) == 0 instead of string == ""

* Move import line where it belong

See
https://github.com/Unknwon/go-code-convention/blob/master/en-US/import_packages.md

Pity the import url is still the unofficial one, but oh well...

* Save a line (and waste much more expensive time)

* Remove redundant parens

* Remove an empty line

* Remove empty lines

* Reorder lines to make diff smaller

* Remove another newline

Unknwon review got me start a fight against newlines

* Move DISABLE_GRAVATAR and ENABLE_FEDERATED_AVATAR after OFFLINE_MODE

On re-reading the diff I figured what Unknwon meant here:
https://github.com/gogits/gogs/pull/3320/files#r73741106

* Remove newlines that weren't there before my intervention
2016-08-07 10:27:38 -07:00
Unknwon e3d3d424b2 Minor fix for go vet 2016-07-16 15:15:00 +08:00
Unknwon c083d76567 #2937 able to prohibit user login 2016-07-16 10:22:16 +08:00
Unknwon a752f09055 #2709 validate username attribute fetched from LDAP 2016-07-12 07:07:57 +08:00
Pablo Saavedra 98b152030d The pruning for the synchronized mirrors is a option now. Default value: enable_prune = true (#3246)
Executed go fmt

getEngine() not handles DB parameters (#2972) (#2974)

Uses .AllCols() for Update in updateMirror()

Spanish traslation removed

Fixed a wrong way to ommit the --prune option in process.ExecDir() for MirrorUpdate function
2016-07-09 13:22:28 +08:00
Unknwon 401bf944ef Use SecurityProtocol to replace UseSSL in LDAP config
Initially proposed by #2376 and fixes #3068 as well.
2016-07-08 07:25:09 +08:00
Franz Schmidt 8b35c194ec Fixes #3110 (#3136) 2016-06-27 17:02:39 +08:00
Paul Tötterman fb970b9d87 Add ServerName to tls.Config in LDAP auth (#3104)
From https://godoc.org/crypto/tls#Config

    ServerName is used to verify the hostname on the returned
    certificates unless InsecureSkipVerify is given. It is also included
    in the client's handshake to support virtual hosting unless it is
    an IP address.

This is needed for certificate validation without InsecureSkipVerify.
2016-06-01 01:11:28 -07:00
Cosmin Stroe ba314a7a36 Support alphanumeric issue style (ABC-1234) for external issue tracker (#2992) 2016-04-22 18:28:08 -04:00
Unknwon ac78bae7b5 Replace uuid module with original package 2016-02-20 18:13:12 -05:00
Unknwon 926e75d721 #2334 strip whitespace for migrate URL
Also fix a possible race condition while install
2016-02-20 17:32:34 -05:00
Adam Strzelecki 5649556a33 LDAP: Make a bit more detailed log traces
This is useful especially to check whether we fetch right attributes, using
right LDAP search base and in right order.
2016-02-20 14:12:32 +01:00
Adam Strzelecki 834d92a47b LDAP: Fetch attributes in Bind DN context option
This is feature is workaround for #2628 (JumpCloud) and some other services
that allow LDAP search only under BindDN user account, but not allow any LDAP
search query in logged user DN context.

Such approach is an alternative to minimal permissions security pattern for
BindDN user.
2016-02-20 14:12:32 +01:00
Adam Strzelecki e2f95c2845 LDAP: Use single connection in BindDN mode auth
According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send
multiple Bind requests to change the authentication and/or security
associations or to complete a multi-stage Bind process. Authentication from
earlier binds is subsequently ignored."

Therefore we should not use 2 connections, but single one just sending two bind
requests.
2016-02-20 14:01:47 +01:00
Josh Frye 8ab5399e83 Make log path required 2016-02-12 10:10:02 -05:00
Josh Frye a3e8c32a30 Add install option for log path 2016-02-12 09:19:45 -05:00
Adam Strzelecki 3808638df1 Fix #2221 LDAP username attribute must be fetched
This is fix-up for 573305f. Forgot to fetch AttributeUsername value from the
LDAP server, so the setting was effectively not working as intended.
2016-02-07 18:18:29 +01:00
Florian Kaiser abc5abce30 Allow modification of a release if Content is empty (fix #2516) 2016-01-30 13:39:02 +00:00
Unknwon 112a7cab31 #2497 incorrect error handle for team name 2016-01-29 17:06:14 -05:00
zhuharev 0d5dc8a064 typo fix 2016-01-06 22:41:42 +03:00
Unknwon 59c965a5ec #2156 admin able to edit organization max repo creation 2015-12-11 19:24:57 -05:00
Unknwon 477b4d3b50 #2154 fix form submit error 2015-12-11 18:52:28 -05:00
Unknwon d0b0d24f22 #2154 disable change user for non-local users
- #2153 remove require for gravatar
2015-12-11 15:31:02 -05:00
Unknwon 40f3142264 #2114 External URL for wiki 2015-12-11 04:55:08 -05:00