Commit graph

200 commits

Author SHA1 Message Date
Gusted 51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot 3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Earl Warren 5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
wxiaoguang 9c0380fe84
Avoid double-unescaping of form value (#26853) (#26863)
Backport #26853

The old `prepareQueryArg` did double-unescaping of form value.

(cherry picked from commit e8da63c24e)
2023-09-08 08:09:18 +02:00
KN4CK3R 471138829b
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613

Fixes #25564
Fixes #23191

- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions

(cherry picked from commit 762d4245fb)
2023-08-21 07:27:20 +02:00
Earl Warren 1ffddf75d6
[DB] run all Forgejo migrations in integration tests
The tests at tests/integration/migration-test/migration_test.go will
not run any Forgejo migration when using the gitea-*.sql.gz files
because they do not contain a ForgejoVersion row which is interpreted
as a new Forgejo installation for which there is no need for migration.

Create a situation by which the ForgejoVersion table exists and has a
version of 0 in tests/integration/migration-test/forgejo-v1.19.0.*.sql.gz
thus ensuring all Forgejo migrations are run.

The forgejo*.sql.gz files do not have any Gitea related records, which
will be interpreted by the Gitea migrations as a new installation that
does not need any migration. As a consequence the migration tests run
when using forgejo-v1.19.0.*.sql.gz are exclusively about Forgejo
migrations.

(cherry picked from commit ec8003859c)
2023-08-21 07:22:18 +02:00
Earl Warren d83135c204
Revert "[GITEA] Use join for the deleting issue actions query"
This reverts commit 9b71369be9.
2023-08-21 07:22:17 +02:00
Earl Warren 20557c6bdb
[BRANDING] define the forgejo webhook type
templates/swagger/v1_json.tmpl updated with `make generate-swagger`

(cherry picked from commit 88899c492e)
(cherry picked from commit 7171bd9617)
(cherry picked from commit 1a742446c1)
(cherry picked from commit d7c189d7b2)

Conflicts:
	routers/web/web.go
(cherry picked from commit cbdea868e4)
(cherry picked from commit 6cd150483b)
(cherry picked from commit 47246da8d3)
(cherry picked from commit f2aa0e6b76)
(cherry picked from commit 5a4fc69a16)
(cherry picked from commit 48e444ca09)
(cherry picked from commit 888e537811)
(cherry picked from commit 5121f493c9)
(cherry picked from commit 9394e55fdf)
(cherry picked from commit 3a2ce51768)
(cherry picked from commit 719ead3a65)
(cherry picked from commit 83e6f82e2a)
(cherry picked from commit 494a429b21)
(cherry picked from commit 4d775db6b4)
(cherry picked from commit b68f777dc2)
(cherry picked from commit 5b934023fa)
(cherry picked from commit 3b1ed8b16c)
(cherry picked from commit 6bc4a46c9f)
(cherry picked from commit 8064bb24a3)

Conflicts:
	templates/admin/hook_new.tmpl
	templates/org/settings/hook_new.tmpl
	templates/repo/settings/webhook/base_list.tmpl
	templates/repo/settings/webhook/new.tmpl
	templates/user/settings/hook_new.tmpl
	https://codeberg.org/forgejo/forgejo/pulls/1181

(cherry picked from commit 55f5588a91)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/1219
2023-08-21 07:22:16 +02:00
Earl Warren c862cc15c8
Revert "[BRANDING] define the forgejo webhook type"
This reverts commit 02ba08ca84.
2023-08-21 07:22:16 +02:00
JakobDev d89003cc1b Fix API leaking Usermail if not logged in (#25097)
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit ea385f5d39)
2023-08-05 11:43:54 +00:00
Gusted 5f769ef20d [GITEA] Show manual cron run's last time
- Currently in the cron tasks, the 'Previous Time' only displays the
previous time of when the cron library executes the function, but not
any of the manual executions of the task.
- Store the last run's time in memory in the Task struct and use that,
when that time is later than time that the cron library has executed this
task.
- This ensures that if an instance admin manually starts a task, there's
feedback that this task is/has been run, because the task might be run
that quick, that the status icon already has been changed to an
checkmark,
- Tasks that are executed at startup now reflect this as well, as the
time of the execution of that task on startup is now being shown as
'Previous Time'.
- Added integration tests for the API part, which is easier to test
because querying the HTML table of cron tasks is non-trivial.
- Resolves https://codeberg.org/forgejo/forgejo/issues/949
- Backport #1087
2023-07-31 18:34:14 +00:00
Gusted 9b71369be9 [GITEA] Use join for the deleting issue actions query
- The action tables can become very large as it's a dumpster for every
action that an user does on an repository.
- The following query: `DELETE FROM action WHERE comment_id IN (SELECT id FROM comment WHERE
issue_id=?)` is not using indexes for `comment_id` and is instead using
an full table scan by MariaDB.
- Rewriting the query to use an JOIN will allow MariaDB to use the
index.
- More information: https://codeberg.org/Codeberg-Infrastructure/techstack-support/issues/9
- Backport https://codeberg.org/forgejo/forgejo/pulls/1154
2023-07-31 10:14:30 +00:00
Giteabot 5afb0294f4
Fix access check for org-level project (#26182) (#26223)
Backport #26182 by @Zettat123

Fix #25934

Add `ignoreGlobal` parameter to `reqUnitAccess` and only check global
disabled units when `ignoreGlobal` is true. So the org-level projects
and user-level projects won't be affected by global disabled
`repo.projects` unit.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 3a29712e0a)
2023-07-30 07:46:19 +02:00
Giteabot 7bb8526736
Fix handling of plenty Nuget package versions (#26075) (#26173)
Backport #26075 by @KN4CK3R

Fixes #25953

- Do not load full version information (v3)
- Add pagination support (v2)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 54614767a2)
2023-07-30 07:46:18 +02:00
Giteabot df5200e814
Remove "misc" scope check from public API endpoints (#26134) (#26149)
Backport #26134 by @wxiaoguang

Fix #26035

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a8445e9320)
2023-07-26 13:51:46 +02:00
Earl Warren bbc3426c53
Revert "[GITEA] do not enforce misc scope tokens for public API endpoints"
This reverts commit 666f43fb64.
2023-07-26 13:51:06 +02:00
Giteabot 4be3270e87
Fix handling of Debian files with trailing slash (#26087) (#26098)
Backport #26087 by @KN4CK3R

Fixes #26022

- Fix handling of files with trailing slash
- Fix handling of duplicate package file errors
- Added test for both

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a424f6d4f8)
2023-07-26 13:49:15 +02:00
Giteabot 2a4dcad472
Fix version in rpm repodata/primary.xml.gz (#26009) (#26048)
Co-authored-by: Peter Verraedt <peter.verraedt@gmail.com>
(cherry picked from commit 81f5a87eb4)
2023-07-24 07:59:10 +02:00
Giteabot 3d033a3aa7
Make pending commit status yellow again (#25935) (#25968)
Backport #25935 by @silverwind

With the introduction of Actions, the pending commit icon has changed
from yellow to grey for Drone integrations which never set the "running"
status, so it stays in "pending" until completion.

I find it better to have this icon colored like on 1.19. Now both the
"pending" and "running" icons look the same, but I guess we could add an
animation to the "running" state similar to GitHub has to it later.

Before:
<img width="339" alt="Screenshot 2023-07-17 at 19 14 19"
src="https://github.com/go-gitea/gitea/assets/115237/2f4886e4-74fd-42ea-b59e-9af8f141bf1f">

After:
<img width="335" alt="Screenshot 2023-07-17 at 19 14 30"
src="https://github.com/go-gitea/gitea/assets/115237/53189642-e72d-47f6-9cbe-f14eda28f730">

Also, it matches GH's icon:

<img width="466" alt="image"
src="https://github.com/go-gitea/gitea/assets/115237/5804ff90-d223-4a3c-8093-7a9abbaacf87">

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 864bdd0ac8)
2023-07-24 07:58:56 +02:00
Loïc Dachary 666f43fb64
[GITEA] do not enforce misc scope tokens for public API endpoints
(cherry picked from commit e353d1c4b7)
2023-07-23 22:35:11 +02:00
Earl Warren 1371196064
Merge remote-tracking branch 'forgejo/v1.20/forgejo-moderation' into v1.20/forgejo 2023-07-17 08:01:23 +02:00
Gusted 73776d6195
[MODERATION] add user blocking API
- Follow up for: #540, #802
- Add API routes for user blocking from user and organization
perspective.
- The new routes have integration testing.
- The new model functions have unit tests.
- Actually quite boring to write and to read this pull request.

(cherry picked from commit f3afaf15c7)
(cherry picked from commit 6d754db3e5)
(cherry picked from commit d0fc8bc9d3)
(cherry picked from commit 9a53b0d1a0)
(cherry picked from commit 44a2a4fd48)
(cherry picked from commit 182025db9c)
(cherry picked from commit 558a35963e)
2023-07-17 00:26:42 +02:00
Gusted cdf6318f51
[MODERATION] organization blocking a user (#802)
- Resolves #476
- Follow up for: #540
- Ensure that the doer and blocked person cannot follow each other.
- Ensure that the block person cannot watch doer's repositories.
- Add unblock button to the blocked user list.
- Add blocked since information to the blocked user list.
- Add extra testing to moderation code.
- Blocked user will unwatch doer's owned repository upon blocking.
- Add flash messages to let the user know the block/unblock action was successful.
- Add "You haven't blocked any users" message.
- Add organization blocking a user.

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/802
(cherry picked from commit 0505a10421)
(cherry picked from commit 37b4e6ef9b)
(cherry picked from commit 217475385a)
(cherry picked from commit f2c38ce5c2)
(cherry picked from commit 1edfb68137)
(cherry picked from commit 2cbc12dc74)
(cherry picked from commit 79ff020f18)
2023-07-17 00:26:42 +02:00
Gusted dc9499bdf9
[MODERATION] user blocking
- Add the ability to block a user via their profile page.
- This will unstar their repositories and visa versa.
- Blocked users cannot create issues or pull requests on your the doer's repositories (mind that this is not the case for organizations).
- Blocked users cannot comment on the doer's opened issues or pull requests.
- Blocked users cannot add reactions to doer's comments.
- Blocked users cannot cause a notification trough mentioning the doer.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/540
(cherry picked from commit 687d852480)
(cherry picked from commit 0c32a4fde5)
(cherry picked from commit 1791130e3c)
(cherry picked from commit 00f411819f)
(cherry picked from commit e0c039b0e8)
(cherry picked from commit b5a058ef00)
(cherry picked from commit 5ff5460d28)
(cherry picked from commit 97bc6e619d)
2023-07-17 00:26:42 +02:00
Gusted 2c3d5b2a77
[BRANDING] Update nodeinfo branding
- Change the values for the nodeinfo API, to use branded values.
- Resolves https://codeberg.org/forgejo/forgejo/issues/257

(cherry picked from commit 4608c57688)
(cherry picked from commit e837e8a529)
(cherry picked from commit 6601328d3c)
(cherry picked from commit c6be21d487)
(cherry picked from commit 5adc6ffee2)
(cherry picked from commit 2ff8d166ac)
(cherry picked from commit b6a90e7e5a)
(cherry picked from commit d1089e706c)

Conflicts:
	tests/integration/api_nodeinfo_test.go
(cherry picked from commit 7a29df737d)
(cherry picked from commit 3655a30c60)
(cherry picked from commit c90d611410)
(cherry picked from commit 0274bd8860)
(cherry picked from commit fdb786b71d)
(cherry picked from commit 4f08f100a1)
(cherry picked from commit 56a2711822)
(cherry picked from commit 3b2cfa452d)
(cherry picked from commit 773ddcf956)
(cherry picked from commit b3c12e6bcc)
(cherry picked from commit 1315177082)
(cherry picked from commit 3f1007795c)
(cherry picked from commit 352bda0147)
(cherry picked from commit 3d8c153ded)
2023-07-17 00:25:56 +02:00
Earl Warren 02ba08ca84
[BRANDING] define the forgejo webhook type
templates/swagger/v1_json.tmpl updated with `make generate-swagger`

(cherry picked from commit 88899c492e)
(cherry picked from commit 7171bd9617)
(cherry picked from commit 1a742446c1)
(cherry picked from commit d7c189d7b2)

Conflicts:
	routers/web/web.go
(cherry picked from commit cbdea868e4)
(cherry picked from commit 6cd150483b)
(cherry picked from commit 47246da8d3)
(cherry picked from commit f2aa0e6b76)
(cherry picked from commit 5a4fc69a16)
(cherry picked from commit 48e444ca09)
(cherry picked from commit 888e537811)
(cherry picked from commit 5121f493c9)
(cherry picked from commit 9394e55fdf)
(cherry picked from commit 3a2ce51768)
(cherry picked from commit 719ead3a65)
(cherry picked from commit 83e6f82e2a)
(cherry picked from commit 494a429b21)
(cherry picked from commit d30c90c0ab)
(cherry picked from commit 3c83b325c4)
(cherry picked from commit 470bffae63)
(cherry picked from commit 1d65921719)
(cherry picked from commit c101c2e0b9)
2023-07-17 00:25:56 +02:00
Earl Warren fb52adb57b
[API] Forgejo API /api/forgejo/v1
(cherry picked from commit 20b5669269)
(cherry picked from commit 1574643a6a)

Update semantic version according to specification

(cherry picked from commit 22510f4130)

Mise à jour de 'Makefile'

(cherry picked from commit c3d85d8409)
(cherry picked from commit 5ea2309851)
(cherry picked from commit ec5217b9d1)
(cherry picked from commit 14f08e364b)
(cherry picked from commit b4465c67b8)

[API] [SEMVER] replace number with version

(cherry picked from commit fba48e6497)
(cherry picked from commit 532ec5d878)

[API] [SEMVER] [v1.20] less is replaced by css

(cherry picked from commit 01ca3a4f42)
(cherry picked from commit 1d928c3ab2)
(cherry picked from commit a39dc804cd)

Conflicts:
	webpack.config.js
(cherry picked from commit adc68578b3)
(cherry picked from commit 9b8d98475f)
(cherry picked from commit 2516103974)
(cherry picked from commit 18e6287963)
(cherry picked from commit e9694e67ab)
(cherry picked from commit a9763edaf0)
(cherry picked from commit e2b550f4fb)
(cherry picked from commit 2edac36701)

[API] Forgejo API /api/forgejo/v1 (squash)

Update semver as v1.20 is entering release candidate mode

(cherry picked from commit 4995098ec3)
(cherry picked from commit 3dd6f2862e)
(cherry picked from commit e8192737ef)
(cherry picked from commit 7b1245cc70)
(cherry picked from commit 4d7cd59703)
(cherry picked from commit 7a7a293dbd)
2023-07-16 23:44:22 +02:00
Earl Warren fe410f108a
[CLI] implement forgejo-cli (squash) support initDB
(cherry picked from commit 5c31ae602a)
(cherry picked from commit 1da62f2930)
2023-07-16 23:21:45 +02:00
Earl Warren d6efefbb63
[CLI] implement forgejo-cli actions register
(cherry picked from commit 2f95143000)
(cherry picked from commit cf77f1e6d9)
(cherry picked from commit 0983b62ca0)
2023-07-16 23:21:45 +02:00
Earl Warren ef51e4b751
[CLI] implement forgejo-cli actions generate-secret
(cherry picked from commit 6f7905c8ec)
(cherry picked from commit 2a958031a9)
(cherry picked from commit 946d209f46)
2023-07-16 23:21:45 +02:00
Earl Warren 52a65b48ea
[CLI] implement forgejo-cli actions generate-runner-token
(cherry picked from commit 08be2b226e)
(cherry picked from commit 9a0f6315da)
(cherry picked from commit 2f264eeeec)
2023-07-16 23:21:45 +02:00
Earl Warren 935fb85e8b
[CLI] implement forgejo-cli
(cherry picked from commit 2555e315f7)
(cherry picked from commit 987df92935)
(cherry picked from commit 78e7eee59a)
2023-07-16 23:21:44 +02:00
Giteabot 353dcc5ad4
Fix the error message when the token is incorrect (#25701) (#25836)
Backport #25701 by @CaiCandong

we refactored `userIDFromToken` for the token parsing part into a new
function `parseToken`. `parseToken` returns the string `token` from
request, and a boolean `ok` representing whether the token exists or
not. So we can distinguish between token non-existence and token
inconsistency in the `verfity` function, thus solving the problem of no
proper error message when the token is inconsistent.
close #24439  
related #22119

Co-authored-by: caicandong <50507092+CaiCandong@users.noreply.github.com>
Co-authored-by: Jason Song <i@wolfogre.com>
2023-07-12 10:18:27 +00:00
Giteabot 2b79d3fd52
For API attachments, use API URL (#25639) (#25814)
Backport #25639 by @lunny

Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-07-10 12:56:16 +00:00
Giteabot 372b622c2b
Revert package access change from #23879 (#25707) (#25785)
Backport #25707 by @KN4CK3R

Fixes (?) #25538
Fixes https://codeberg.org/forgejo/forgejo/issues/972

Regression #23879

#23879 introduced a change which prevents read access to packages if a
user is not a member of an organization.

That PR also contained a change which disallows package access if the
team unit is configured with "no access" for packages. I don't think
this change makes sense (at the moment). It may be relevant for private
orgs. But for public or limited orgs that's useless because an
unauthorized user would have more access rights than the team member.
This PR restores the old behaviour "If a user has read access for an
owner, they can read packages".

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-07-09 21:00:42 +00:00
Giteabot ea2c9de3c4
Test if container blob is accessible before mounting (#22759) (#25784)
Backport #22759 by @KN4CK3R

related #16865

This PR adds an accessibility check before mounting container blobs.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: silverwind <me@silverwind.io>
2023-07-09 12:00:04 +00:00
silverwind 24e64fe372
Replace interface{} with any (#25686) (#25687)
Same perl replacement as https://github.com/go-gitea/gitea/pull/25686
but for 1.20 to ease future backporting.
2023-07-04 23:41:32 -04:00
Lunny Xiao 13ffa287b1
Fix bug of branches API with tests(#25578) (#25579)
Backport #25578 

This PR added a repository's check when creating/deleting branches via
API. Mirror repository and archive repository cannot do that.
2023-07-03 16:17:30 +02:00
Giteabot dfefe86045
Fix LDAP sync when Username Attribute is empty (#25278) (#25379)
Backport #25278 by @Zettat123

Fix #21072


![image](https://github.com/go-gitea/gitea/assets/15528715/96b30beb-7f88-4a60-baae-2e5ad8049555)

Username Attribute is not a required item when creating an
authentication source. If Username Attribute is empty, the username
value of LDAP user cannot be read, so all users from LDAP will be marked
as inactive by mistake when synchronizing external users.

This PR improves the sync logic, if username is empty, the email address
will be used to find user.

Co-authored-by: Zettat123 <zettat123@gmail.com>
2023-06-20 13:11:22 +08:00
yp05327 d686aa0d31
Fix profile render when the README.md size is larger than 1024 bytes (#25270)
Backport #25131
2023-06-15 01:39:34 +00:00
Lunny Xiao 315124b469
Fix parallelly generating index failure with Mysql (#24567) 2023-06-05 10:33:47 +00:00
Jack Hay 18de83b2a3
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
    - `activitypub`
    - `admin` (hidden if user is not a site admin)
    - `misc`
    - `notification`
    - `organization`
    - `package`
    - `issue`
    - `repository`
    - `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
  -  `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
  - `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection

### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">

## tokenRequiresScopes  Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error

## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
   -  _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
   - _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
   - _This should be addressed in this PR_
   - For example: 
   ```go
	m.Group("/users/{username}/orgs", func() {
		m.Get("", reqToken(), org.ListUserOrgs)
		m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
   ```

## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default

Closes #24501
Closes #24799

Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
Denys Konovalov 7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00
Lunny Xiao 5d23c885ed
Fix users cannot visit issue attachment bug (#25019)
Caused by #24362

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-31 19:06:17 +02:00
wxiaoguang a90988d63f
Update repo's default branch when adding new files in an empty one (#25017)
Fix #25014

Only API needs this fix. On the Web UI, users could only add new file on
the default branch.
2023-05-31 17:07:51 +08:00
Yevhen Pavlov 970e1c98ec
Add v3.18 to TestPackageAlpine (#24972)
Add Alpine 3.18 to TestPackageAlpine

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-29 15:45:32 +00:00
wxiaoguang ca5f302876
Fix admin config page error, use tests to cover the admin config and 500 error page (#24965)
The admin config page has been broken for many many times, a little
refactoring would make this page panic.

So, add a test for it, and add another test to cover the 500 error page.

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-29 15:00:21 +00:00
Denys Konovalov 275d4b7e3f
API endpoint for changing/creating/deleting multiple files (#24887)
This PR creates an API endpoint for creating/updating/deleting multiple
files in one API call similar to the solution provided by
[GitLab](https://docs.gitlab.com/ee/api/commits.html#create-a-commit-with-multiple-files-and-actions).

To archive this, the CreateOrUpdateRepoFile and DeleteRepoFIle functions
in files service are unified into one function supporting multiple files
and actions.

Resolves #14619
2023-05-29 17:41:35 +08:00
JakobDev aaa1094663
Add the ability to pin Issues (#24406)
This adds the ability to pin important Issues and Pull Requests. You can
also move pinned Issues around to change their Position. Resolves #2175.

## Screenshots

![grafik](https://user-images.githubusercontent.com/15185051/235123207-0aa39869-bb48-45c3-abe2-ba1e836046ec.png)

![grafik](https://user-images.githubusercontent.com/15185051/235123297-152a16ea-a857-451d-9a42-61f2cd54dd75.png)

![grafik](https://user-images.githubusercontent.com/15185051/235640782-cbfe25ec-6254-479a-a3de-133e585d7a2d.png)

The Design was mostly copied from the Projects Board.

## Implementation
This uses a new `pin_order` Column in the `issue` table. If the value is
set to 0, the Issue is not pinned. If it's set to a bigger value, the
value is the Position. 1 means it's the first pinned Issue, 2 means it's
the second one etc. This is dived into Issues and Pull requests for each
Repo.

## TODO
- [x] You can currently pin as many Issues as you want. Maybe we should
add a Limit, which is configurable. GitHub uses 3, but I prefer 6, as
this is better for bigger Projects, but I'm open for suggestions.
- [x] Pin and Unpin events need to be added to the Issue history.
- [x] Tests
- [x] Migration

**The feature itself is currently fully working, so tester who may find
weird edge cases are very welcome!**

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-25 15:17:19 +02:00
JakobDev 25dc1556cd
Add API for Label templates (#24602)
This adds API that allows getting the Label templates of the Gitea
Instance
2023-05-23 18:10:23 +08:00