Commit graph

1077 commits

Author SHA1 Message Date
Earl Warren eb3235039f
[TESTS] oauth2: make it possible to use an alternate http.Client
(cherry picked from commit aea4ab25a9)
(cherry picked from commit d386b212c4)
(cherry picked from commit c4935f08ad)
(cherry picked from commit dc6ca7cd25)
(cherry picked from commit 25296d5a3c)
(cherry picked from commit 3d54c64c5f)
(cherry picked from commit 6ece0b9d01)
(cherry picked from commit 3b39962033)
(cherry picked from commit 5e2167cd03)
(cherry picked from commit e676d7b265)
(cherry picked from commit 9cd258e865)
(cherry picked from commit 0a8d58c159)
(cherry picked from commit b66d06823a)
(cherry picked from commit 4fbe2a0047)
(cherry picked from commit a225e0c9b4)
(cherry picked from commit 21b670b927)
(cherry picked from commit d586e335d5)
(cherry picked from commit 7ab21549a3)
2023-11-06 15:04:59 +01:00
KN4CK3R 4f4fea734c
Unify two factor check (#27915)
Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
2023-11-06 08:22:39 +00:00
Earl Warren 59f9ef9fee
Remove action runners on user deletion (#27902)
- On user deletion, delete action runners that the user has created.
- Add a database consistency check to remove action runners that have
nonexistent belonging owner.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1720

(cherry picked from commit 009ca7223d)

Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-11-05 13:48:32 +01:00
Zettat123 ae396ac7c0
Fix DownloadFunc when migrating releases (#27887)
We should not use `asset.ID` in DownloadFunc because DownloadFunc is a
closure.

1bf5527eac/services/migrations/gitea_downloader.go (L284-L295)

A similar bug when migrating from GitHub has been fixed in #14703. This
PR fixes the bug when migrating from Gitea and GitLab.
2023-11-03 15:56:53 +08:00
Lunny Xiao 1bf5527eac
Refactor Find Sources and fix bug when view a user who belongs to an unactive auth source (#27798)
The steps to reproduce it.

First, create a new oauth2 source.
Then, a user login with this oauth2 source.
Disable the oauth2 source.
Visit users -> settings -> security, 500 will be displayed.
This is because this page only load active Oauth2 sources but not all
Oauth2 sources.
2023-11-03 01:41:00 +00:00
wxiaoguang a4b242ae7a
Clean up template locale usage (#27856)
After many refactoring PRs for the "locale" and "template context
function", now the ".locale" is not needed for web templates any more.

This PR does a clean up for:

1. Remove `ctx.Data["locale"]` for web context.
2. Use `ctx.Locale` in `500.tmpl`, for consistency.
3. Add a test check for `500 page` locale usage.
4. Remove the `Str2html` and `DotEscape` from mail template context
data, they are copy&paste errors introduced by #19169 and #16200 . These
functions are template functions (provided by the common renderer), but
not template data variables.
5. Make email `SendAsync` function mockable (I was planning to add more
tests but it would make this PR much too complex, so the tests could be
done in another PR)
2023-10-31 22:11:48 +08:00
Lunny Xiao 16d15ce087
Fix package webhook (#27839)
Fix #23742

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-10-31 04:43:38 +00:00
KN4CK3R b36e2ca419
List all Debian package versions in Packages (#27786)
Closes #27783

This PR lists all and not only the latest package versions in the
`Packages` index.
2023-10-29 14:14:47 +00:00
Sebastian Brückner 02dae3f84b
Fix merge base commit for fast-forwarded GitLab PRs (#27825)
Due to a bug in the GitLab API, the diff_refs field is populated in the
response when fetching an individual merge request, but not when
fetching a list of them. That field is used to populate the merge base
commit SHA.
While there is detection for the merge base even when not populated by
the downloader, that detection is not flawless. Specifically, when a
GitLab merge request has a single commit, and gets merged with the
squash strategy, the base branch will be fast-forwarded instead of a
separate squash or merge commit being created. The merge base detection
attempts to find the last commit on the base branch that is also on the
PR branch, but in the fast-forward case that is the PR's only commit.
Assuming the head commit is also the merge base results in the import of
a PR with 0 commits and no diff.

This PR uses the individual merge request endpoint to fetch merge
request data with the diff_refs field. With its data, the base merge
commit can be properly set, which—by not relying on the detection
mentioned above—correctly imports PRs that were "merged" by
fast-forwarding the base branch.

ref: https://gitlab.com/gitlab-org/gitlab/-/issues/29620
2023-10-29 21:29:33 +08:00
Sebastian Brückner 8faa38568b
Use GitLab's squash_commit_sha when available (#27824)
Before this PR, the PR migration code populates Gitea's MergedCommitID
field by using GitLab's merge_commit_sha field. However, that field is
only populated when the PR was merged using a merge strategy. When a
squash strategy is used, squash_commit_sha is populated instead.

Given that Gitea does not keep track of merge and squash commits
separately, this PR simply populates Gitea's MergedCommitID by using
whichever field is present in the GitLab API response.
2023-10-29 00:54:58 +00:00
KN4CK3R ab3f6c1bac
Close all hashed buffers (#27787)
Add missing `.Close()` calls. The current code does not delete the
temporary files if the data grows over 32mb.
2023-10-25 21:24:24 +02:00
merlleu 796ff26e0e
Do not force creation of _cargo-index repo on publish (#27266)
Hello there,
Cargo Index over HTTP is now prefered over git for package updates: we
should not force users who do not need the GIT repo to have the repo
created/updated on each publish (it can still be created in the packages
settings).

The current behavior when publishing is to check if the repo exist and
create it on the fly if not, then update it's content.
Cargo HTTP Index does not rely on the repo itself so this will be
useless for everyone not using the git protocol for cargo registry.

This PR only disable the creation on the fly of the repo when publishing
a crate.

This is linked to #26844 (error 500 when trying to publish a crate if
user is missing write access to the repo) because it's now optional.

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-10-24 03:26:38 +00:00
silverwind ce83609ff6
Upgrade to golangci-lint@v1.55.0 (#27756)
https://github.com/golangci/golangci-lint/releases/tag/v1.55.0
2023-10-24 02:54:59 +00:00
wxiaoguang f3956fcb28
Fix incorrect ctx usage in defer function (#27740) 2023-10-22 14:12:27 +00:00
6543 e83f2cbbac
Add doctor dbconsistency fix to delete repos with no owner (#27290)
to address #27273
replace #24873
2023-10-19 15:20:52 +02:00
JakobDev 3dc0c962bf
Delete repos of org when purge delete user (#27273)
Fixes https://codeberg.org/forgejo/forgejo/issues/1514

I had to remove `RenameOrganization` to avoid circular import.

We should really add some foreign keys to the database.
2023-10-19 13:16:11 +00:00
Lunny Xiao 9852c92e9a
Remove unnecessary parameter (#27671) 2023-10-18 15:03:10 +00:00
KN4CK3R 83186eca80
Always delete existing scheduled action tasks (#27662)
Fixes #27650
2023-10-18 10:34:39 +00:00
Jason Song 4e98224a45
Support allowed hosts for webhook to work with proxy (#27655)
When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.
2023-10-18 09:44:36 +00:00
Lunny Xiao eeb1e0242b
Fix poster is not loaded in get default merge message (#27657) 2023-10-17 15:07:23 +00:00
Jason Song 1be49fdda6
Improve retrying index issues (#27554)
Fix #27540
2023-10-15 18:56:57 +00:00
Lunny Xiao cddf245c12
Replace more db.DefaultContext (#27628)
Target #27065
2023-10-15 17:46:06 +02:00
JakobDev 76a85a4ce9
Final round of db.DefaultContext refactor (#27587)
Last part of #27065
2023-10-14 08:37:24 +00:00
KN4CK3R c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
wxiaoguang 1d155a43ad
Fix data-race bug when accessing task.LastRun (#27584) 2023-10-11 14:51:20 +00:00
Nanguan Lin dc04044716
Replace assert.Fail with assert.FailNow (#27578)
assert.Fail() will continue to execute the code while assert.FailNow()
not. I thought those uses of assert.Fail() should exit immediately.
PS: perhaps it's a good idea to use
[require](https://pkg.go.dev/github.com/stretchr/testify/require)
somewhere because the assert package's default behavior does not exit
when an error occurs, which makes it difficult to find the root error
reason.
2023-10-11 11:02:24 +00:00
Earl Warren 1050d7a78f
show manual cron run's last time (#27544)
- Currently in the cron tasks, the 'Previous Time' only displays the
previous time of when the cron library executes the function, but not
any of the manual executions of the task.
- Store the last run's time in memory in the Task struct and use that,
when that time is later than time that the cron library has executed
this task.
- This ensures that if an instance admin manually starts a task, there's
feedback that this task is/has been run, because the task might be run
that quick, that the status icon already has been changed to an
checkmark,
- Tasks that are executed at startup now reflect this as well, as the
time of the execution of that task on startup is now being shown as
'Previous Time'.
- Added integration tests for the API part, which is easier to test
because querying the HTML table of cron tasks is non-trivial.
- Resolves https://codeberg.org/forgejo/forgejo/issues/949

(cherry picked from commit fd34fdac14)

---------

Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: silverwind <me@silverwind.io>
2023-10-11 07:28:16 +00:00
JakobDev ebe803e514
Penultimate round of db.DefaultContext refactor (#27414)
Part of #27065

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-11 04:24:07 +00:00
Lunny Xiao 5c9fbcca00
Fix attachment download bug (#27486) 2023-10-10 15:33:56 +00:00
yp05327 5a7ab86b98
Avoid run change title process when the title is same (#27467)
If user only changed the target branch or just did nothing and clicked
the `Save` button, you will see the change log as following:

![image](https://github.com/go-gitea/gitea/assets/18380374/d30927dd-9227-4653-8fac-b890ef0b3f88)

This makes no sense, so we should check whether the title is surely
changed before run the `ChangeTitle`.
2023-10-06 18:00:53 +00:00
Eng Zer Jun 13d5d2e711
Remove redundant len check around loop (#27464)
This pull request is a minor code cleanup.

From the Go specification (https://go.dev/ref/spec#For_range):

> "1. For a nil slice, the number of iterations is 0."
> "3. If the map is nil, the number of iterations is 0."

`len` returns 0 if the slice or map is nil
(https://pkg.go.dev/builtin#len). Therefore, checking `len(v) > 0`
before a loop is unnecessary.

---

At the time of writing this pull request, there wasn't a lint rule that
catches these issues. The closest I could find is
https://staticcheck.dev/docs/checks/#S103

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-10-06 14:49:37 +08:00
JakobDev cc5df26680
Even more db.DefaultContext refactor (#27352)
Part of #27065

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
2023-10-03 10:30:41 +00:00
Francesco Antognazza bc21723717
Make Actions tasks/jobs timeouts configurable by the user (#27400)
With this PR we added the possibility to configure the Actions timeouts
values for killing tasks/jobs.
Particularly this enhancement is closely related to the `act_runner`
configuration reported below:
```
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
```

---

Setting the corresponding key in the INI configuration file, it is
possible to let jobs run for more than 3 hours.

Signed-off-by: Francesco Antognazza <francesco.antognazza@gmail.com>
2023-10-02 23:09:26 +02:00
delvh e709bc199f
Differentiate between push and pull mirror sync in progress (#27390)
Previously, if you had both a push and a pull mirror, the message did
not clarify if you've accidentally synchronized the wrong one.
Additionally fixed two typos that were encountered while debugging.

## Screenshots

![grafik](https://github.com/go-gitea/gitea/assets/51889757/164d5d20-728d-4365-9cb5-c37e95857cdf)

![grafik](https://github.com/go-gitea/gitea/assets/51889757/90bfffd2-abd4-4847-b8e2-db4231700a6d)
2023-10-02 14:52:18 +00:00
Earl Warren cb68e01e22
simplify issue deletion query (#27312)
- There's no need for `In` to be used, as it's a single parameter that's
being passed.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1521

(cherry picked from commit 4a4955f43a)

Co-authored-by: Gusted <postmaster@gusted.xyz>
2023-10-02 02:30:10 +00:00
CaiCandong 87aa552531
Fix unexpected context canceled when migrating repository (#27368)
Fix #27363

Regression of #27089
2023-10-01 12:04:35 +00:00
CaiCandong 7ad31567cd
Fix ldap admin privileges update bug (#27051)
When the user does not set a username lookup condition, LDAP will get an
empty string `""` for the user, hence the following code
```
if isExist, err := user_model.IsUserExist(db.DefaultContext, 0, sr.Username)
```
The user presence determination will always be nonexistent, so updates
to user information will never be performed.


Fix #27049
2023-10-01 11:32:12 +00:00
Lunny Xiao 6e87a44034
Allow get release download files and lfs files with oauth2 token format (#26430)
Fix #26165
Fix #25257
2023-10-01 10:41:52 +00:00
JakobDev cf0df023be
More db.DefaultContext refactor (#27265)
Part of #27065

This PR touches functions used in templates. As templates are not static
typed, errors are harder to find, but I hope I catch it all. I think
some tests from other persons do not hurt.
2023-09-29 12:12:54 +00:00
Dmitry Sharshakov 5e02e3b7ee
Add support for forking single branch (#25821)
Fixes #25117

Add UI for choosing branch to fork

Change default branch on single-branch forks


![image](https://github.com/go-gitea/gitea/assets/19504461/28505f69-a9a2-43a8-8b19-a0cdac3ddc5a)

---------

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-29 09:48:39 +08:00
JakobDev 1c039b4e1e
Fix Bug in Issue Config when only contact links are set (#26521)
Blank Issues should be enabled if they are not explicit disabled through
the `blank_issues_enabled` field of the Issue Config. The Implementation
has currently a Bug: If you create a Issue Config file with only
`contact_links` and without a `blank_issues_enabled` field,
`blank_issues_enabled` is set to false by default.

The fix is only one line, but I decided to also improve the tests to
make sure there are no other problems with the Implementation.

This is a bugfix, so it should be backported to 1.20.
2023-09-28 20:16:40 +08:00
Lunny Xiao 673cf6af76
make writing main test easier (#27270)
This PR removed `unittest.MainTest` the second parameter
`TestOptions.GiteaRoot`. Now it detects the root directory by current
working directory.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-28 01:38:53 +00:00
JakobDev 7047df36d4
Another round of db.DefaultContext refactor (#27103)
Part of #27065

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-09-25 13:17:37 +00:00
Nabapadma-sarker 8e23524b18
Fix PushEvent NullPointerException jenkinsci/github-plugin (#27203)
Fixes #27202
2023-09-24 19:02:47 +00:00
Daniel Kilimnik 0ee7cbf725
Fix push mirror, wrong timestamp format (#27153)
I noticed, that the push mirrors endpoint, is the only endpoint which
returns the times in long format rather than as time.Time().

I think the behavior should be consistent across the project.

----

## ⚠️ BREAKING ⚠️

This PR changes the time format used in API responses for all
push_mirror endpoints which return a push mirror.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-23 12:15:05 +00:00
JakobDev 28f9b313ba
Updates to the API for archived repos (#27149) 2023-09-21 23:43:29 +00:00
John Olheiser 7520cd678c
Fix release URL in webhooks (#27182) 2023-09-21 17:55:09 -05:00
delvh 707c69f399
Fix successful return value for SyncAndGetUserSpecificDiff (#27152)
A function should not return an error when it is successful.
Otherwise, things like https://discord.com/channels/322538954119184384/322538954119184384/1153705341620600833 happen…
2023-09-20 22:28:17 +02:00
wxiaoguang 2814f2fea1
Fix incorrect test code for error handling (#27139)
If `assert.NoError` fails, it should return. Otherwise the code could
still execute even if the error occurs.
2023-09-20 08:51:36 +08:00
silverwind 1b1c55f73f
Increase auth provider icon size on login page (#27122)
Before, 20px:
<img width="474" alt="Screenshot 2023-09-19 at 00 10 05"
src="https://github.com/go-gitea/gitea/assets/115237/4bed4edb-219d-4844-9d3c-0d747033b09f">

After, 28px:
<img width="576" alt="Screenshot 2023-09-19 at 00 20 40"
src="https://github.com/go-gitea/gitea/assets/115237/f482ac09-38ae-4c84-80d9-0bd39b7f9772">


Dropdown in account settings is unchanged at 20px:
<img width="157" alt="Screenshot 2023-09-19 at 00 09 11"
src="https://github.com/go-gitea/gitea/assets/115237/9c998cdf-eeed-4118-9262-664faaa56092">

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-19 21:47:13 +00:00