Commit graph

32 commits

Author SHA1 Message Date
Earl Warren d09a6d130c Merge pull request 'Update module github.com/go-enry/go-enry/v2 to v2.8.8' (#3723) from renovate/github.com-go-enry-go-enry-v2-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3723
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-13 18:28:44 +00:00
Earl Warren 48c18e17d5
chore(release-notes): go-enry v2.8.8
Refs: https://codeberg.org/forgejo/forgejo/pulls/3723
2024-05-13 17:32:28 +02:00
Earl Warren 337f4f9d87
Rename Str2html to SanitizeHTML and clarify its behavior (followup) (take 2)
In
  801792e4dc Rename Str2html to SanitizeHTML and clarify its behavior (followup)
the replacement was incorrect because
  c9d0e63c20  Remove unnecessary "Str2html" modifier from templates
was not applied and Str2html should have not been present in the first
place.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3554
2024-05-13 17:05:03 +02:00
Renovate Bot 8672ad12b1 Update module github.com/caddyserver/certmagic to v0.21.0 (#3724)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/caddyserver/certmagic](https://github.com/caddyserver/certmagic) | require | minor | `v0.20.0` -> `v0.21.0` |

---

### Release Notes

<details>
<summary>caddyserver/certmagic (github.com/caddyserver/certmagic)</summary>

### [`v0.21.0`](https://github.com/caddyserver/certmagic/releases/tag/v0.21.0)

[Compare Source](https://github.com/caddyserver/certmagic/compare/v0.20.0...v0.21.0)

CertMagic v0.21 introduces some big changes:

-   Draft support for draft-03 of [ACME Renewal Information (ARI)](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/) which assists with deciding when to renew certificates. This augments CertMagic's already-advanced logic using cert lifetime and OCSP/revocation status.
-   New [`ZeroSSLIssuer`](https://pkg.go.dev/github.com/caddyserver/certmagic@v0.21.0#ZeroSSLIssuer) uses the [ZeroSSL API](https://zerossl.com/documentation/api/) to get certificates. ZeroSSL also has an ACME endpoint, which can still be accesed using the existing ACMEIssuer, as always. Their proprietary API is paid, but has extra features like IP certificates, better reliability, and support.
-   DNS challenges should be smoother in some cases as we've improved propagation checking.
-   In the odd case your ACME account disappears from the ACME server, CertMagic will automatically retry with a new account. (This happens in some test/dev environments.)
-   ACME accounts are identified only by their public keys, but CertMagic maps accounts by CA+email for practical/storage reasons. So now you can "pin" an account key to use by specifying your email and the account public key in your config, which is useful if you need to absolutely be sure to use a specific account (like if you get rate limit exemptions from a CA).

Please try it out and report any issues!

Thanks to [@&#8203;Framer](https://github.com/Framer) for their contributions to this release!

#### What's Changed

-   Bump golang.org/x/crypto from 0.14.0 to 0.17.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/caddyserver/certmagic/pull/264
-   Demote "storage cleaning happened too recently" from WARN to INFO by [@&#8203;francislavoie](https://github.com/francislavoie) in https://github.com/caddyserver/certmagic/pull/270
-   Check DNS propagation at authoritative nameservers only with default resolvers by [@&#8203;pgeh](https://github.com/pgeh) in https://github.com/caddyserver/certmagic/pull/274
-   Retry with new account if account disappeared remotely by [@&#8203;mholt](https://github.com/mholt) in https://github.com/caddyserver/certmagic/pull/269
-   Update readme examples to use TLS-ALPN const from ACMEz by [@&#8203;goksan](https://github.com/goksan) in https://github.com/caddyserver/certmagic/pull/277
-   Initial implementation of ZeroSSL API issuer by [@&#8203;mholt](https://github.com/mholt) in https://github.com/caddyserver/certmagic/pull/279
-   Allow deleting directories via FileStorage by [@&#8203;goksan](https://github.com/goksan) in https://github.com/caddyserver/certmagic/pull/282
-   Use the `email` configuration in the ACME issuer to "pin" an account to a key by [@&#8203;ankon](https://github.com/ankon) in https://github.com/caddyserver/certmagic/pull/283
-   Initial implementation of ARI by [@&#8203;mholt](https://github.com/mholt) in https://github.com/caddyserver/certmagic/pull/286

#### New Contributors

-   [@&#8203;pgeh](https://github.com/pgeh) made their first contribution in https://github.com/caddyserver/certmagic/pull/274
-   [@&#8203;goksan](https://github.com/goksan) made their first contribution in https://github.com/caddyserver/certmagic/pull/277

**Full Changelog**: https://github.com/caddyserver/certmagic/compare/v0.20.0...v0.21.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - "before 4am" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNTEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM1MS4yIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6W119-->

Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3724
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-05-12 14:56:39 +00:00
Earl Warren 09855c0caf Merge pull request 'Add a release note for #3285' (#3697) from algernon/forgejo:release-notes/cloning-in-sshtyle into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3697
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-10 09:32:35 +00:00
Gergely Nagy a5c038f5e8
Add a release note for #3464
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-10 09:39:52 +02:00
Gergely Nagy 9d1ceee797
Add a release note for #3285
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-10 09:32:07 +02:00
Gergely Nagy 9cb2aa989a
Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-09 18:33:33 +02:00
Gergely Nagy f4dd53d79d Fix an incorrect form submission in repo-issue.js (#3675)
This fixes `initRepoPullRequestAllowMaintainerEdit()` to submit the form correctly (as a web form, rather than as JSON payload).

Fixes #3618, cherry picked from gitea#30854.

Co-Authored-By: wxiaoguang <wxiaoguang@gmail.com>

---

Manual testing steps:

- Open a PR against any repository, with the "Allow edits from maintainers" option checked.
- Open the developer console (`Ctrl-Shift-I` on Firefox), and look at the Network tab.
- Visit the PR, find the "Allow edits from maintainers" checkbox, and click it.
- See the developer console, and check that the response says the setting is false.
- Refresh the page *completely* (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is off.
- Click the box again to enable it.
- See the developer console, and check that the response says the setting is true.
- Reload without cache again (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is now on.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3675
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-08 21:14:46 +00:00
Earl Warren f3045f0519
fix(security): CVE-2024-24788 malformed DNS message
Refs: https://pkg.go.dev/vuln/GO-2024-2824
2024-05-08 14:25:08 +02:00
0ko b034ab5a8e [UI] Allow org members to navigate between the org and the dashboard
- add a new button to the org view that is only shown to the org members
- add integration test to verify the expected navigatability
- add a new translation string to that button
- fix display style of "View <orgname>" button on the dashboard
- fix gap size between buttons on the org view by utilizing the common class top-right-buttons
2024-05-05 23:14:57 +05:00
Earl Warren c9624d4cdb Merge pull request 'Add an immutable tarball link to archive download headers for Nix' (#3615) from jadeprime/forgejo:jade/nix-tarball-link into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3615
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-04 07:01:02 +00:00
Jade Lovelace 6631f56ebf Add an immutable tarball link to archive download headers for Nix
This allows `nix flake metadata` and nix in general to lock a *branch*
tarball link in a manner that causes it to fetch the correct commit even
if the branch is updated with a newer version.

For further context, Nix flakes are a feature that, among other things,
allows for "inputs" that are "github:someuser/somerepo",
"https://some-tarball-service/some-tarball.tar.gz",
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
tarballs of git-based inputs to their builds rather than using git to
fetch them, saving significant download time.

There is presently no gitea or forgejo specific fetcher in Nix, and we
don't particularly wish to have one. Ideally (as a developer on a Nix
implementation myself) we could just use the generic tarball fetcher and
not add specific forgejo support, but to do so, we need additional
metadata to know which commit a given *branch* tarball represents, which
is the purpose of the Link header added here.

The result of this patch is that a Nix user can specify `inputs.something.url =
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
and get a link to some concrete tarball for the actual commit in the
lock file, then when they run `nix flake update` in the future, they
will get the latest commit in that branch.

Example of it working locally:

 » nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
Resolved URL:  http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
Locked URL:    804ede182b.tar.gz?dir=configs
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
Description:   Computers with the nixos
Path:          /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
Revision:      804ede182b6b66469b23ea4d21eece52766b7a06
Last modified: 2024-05-02 00:48:32

For details on the header value, see:
56763ff918/doc/manual/src/protocols/tarball-fetcher.md
2024-05-03 15:21:45 -07:00
0ko 787b16a7be [THEME] fix text selection color
regression of c2280a2009
2024-05-02 21:31:03 +05:00
0ko d096a21da6 Fix inconsistent required field (#3583)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3583
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-01 18:29:42 +00:00
varp0n 4a2959b3ec FIX gogs migration if gogs is hosted at a subpath (#3572)
Also add a test for GogsDownloaderFactory.New() to make sure
that the URL of the source repository is parsed correctly.

When the source gogs instance is hosted at a subpath like `https://git.example.com/gogs/<username>/<reponame>` the migration fails.
This PR fixes that.

Co-authored-by: hecker <tomas.hecker@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3572
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: varp0n <tom@gkstn.de>
Co-committed-by: varp0n <tom@gkstn.de>
2024-05-01 16:28:44 +00:00
Earl Warren a050b546b9
[skip ci] docs(release-notes): 7.0.2 2024-05-01 14:22:18 +02:00
Gergely Nagy 632a274b8f
Fix Issue watching / unwatching on the web ui
When subscribing or unsubscribing to/from an issue on the web ui, the
request was posted to a route handled by `repo.IssueWatch`. This
function used `ctx.Req.PostForm.Get()`, erroneously.

`request.PostForm` is *only* available if `request.ParseForm()` has been
called before it. The function in question did not do that. Under some
circumstances, something, somewhere did end up calling `ParseForm()`,
but not in every scenario.

Since we do not need to check for multiple values, the easiest fix here
is to use `ctx.Req.PostFormValue`, which will call `ParseForm()` if
necessary.

Fixes #3516.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 11:04:54 +02:00
Earl Warren 8f93ac7e7a Merge pull request 'feat: UI: use full screen height for displaying pdf files' (#3434) from Beowulf/forgejo:full-screen-height-pdf into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3434
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 07:03:15 +00:00
Gergely Nagy 0d029ebe6d
Fix git_model.FindBranchesByRepoAndBranchName
When a logged in user with no repositories visits their dashboard, it will
display a search box that lists their own repositories.

This is served by the `repo.SearchRepos` handler, which in turn calls
`commitstatus_service.FindReposLastestCommitStatuses()` with an empty
repo list.

That, in turn, will call `git_model.FindBranchesByRepoAndBranchName()`,
with an empty map. With no map, `FindBranchesByRepoAndBranchName()` ends
up querying the entire `branch` table, because no conditions were set
up.

Armed with a gazillion repo & commit shas, we return to
`FindReposLastestCommitStatuses`, and promptly call
`git_model.GetLatestCommitStatusForPairs`, which constructs a monstrous
query with so many placeholders that the database tells us to go
somewhere else, and flips us off. At least on instances the size of
Codeberg. On smaller instances, it will eventually return, and throw
away all the data, and return an empty set, having performed all this
for naught.

We fix this by short-circuiting `FindBranchesByRepoAndBranchName`, and
returning fast if our inputs are empty.

A test case is included.

Fixes #3521.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 00:34:39 +02:00
Earl Warren 9a3a3feb4c Merge pull request 'Add inline attachments to comments and prevent double handling of mails' (#3504) from Beowulf/forgejo:mail-inline-attachments-not-added-to-comment into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3504
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-30 12:19:42 +00:00
Beowulf 34134df3a7
added release notes 2024-04-30 12:05:22 +02:00
Earl Warren ce2becb55e Merge pull request 'feat: implement PKCE when acting as oauth2 client (for user login)' (#3307) from oliverpool/forgejo:pkce into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3307
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-29 10:58:17 +00:00
oliverpool e1d93950ad feat: implement PKCE when acting as oauth2 client (for user login)
Closes #2766
2024-04-29 11:20:26 +02:00
JakobDev d59ebc3e32
Add release note for #3139 2024-04-28 22:44:59 +02:00
Otto Richter 5c76c37a50 Release notes for Limit database max connections by default 2024-04-27 22:03:25 +02:00
Baptiste Daroussin 08f5a25d3b ldap: default domain name (#3414)
When the ldap synchronizer is look for an email address and fails at
finding one, it falls back at creating one using "localhost.local"
domain.

This new field makes this domain name configurable.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3414
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Baptiste Daroussin <bapt@FreeBSD.org>
Co-committed-by: Baptiste Daroussin <bapt@FreeBSD.org>
2024-04-26 22:38:58 +00:00
Earl Warren 4da76d0e5f Merge pull request 'fix(Dockerfile.rootless): revert to default path for app.ini' (#3363) from gmask/forgejo:fix/container-app-ini-variable into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3363
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-26 22:36:33 +00:00
Earl Warren a5df622099
docs(release-notes): 7.0.1 2024-04-27 00:31:22 +02:00
Gerard Salvatella dad16cd589 fix(Dockerfile.rootless): revert to default path for app.ini
The current path of the `$GITEA_APP_INI` configuration file makes the
forgejo application reset every time the container is restarted, unless
a specific volume for this file is created. Consider the following:

* This quirk is not documented
* All configuration data resides in `/var/lib/gitea`
* The custom configuration path defaults to `/var/lib/gitea/custom/conf`
  (see `forgejo -h`)
* Containers mounting the volume `-v /foo/bar:/var/lib/gitea` already
  have this file available to modify. Another volume shouldn't be
  required
* Containers using named volumes can use `docker cp` to modify the file
  inside the volume, if desired

For these reasons, it makes more sense to use the default path for
`$GITEA_APP_INI` rather than require users to create a dedicated volume
for the file. Revert it back to its default while maintaining backwards
compatibility (users can update by simply moving the file to the new
path).
2024-04-26 21:30:10 +02:00
Beowulf 9035b400a6
UI: use full screen height for displaying pdf files 2024-04-26 20:42:45 +02:00
Earl Warren 127eff49ee docs(release-notes): split items in files to avoid conflicts (#3452)
I thought there would be conflicts but that they would not be so difficult to manage. Worst idea I had this week. Change to @oliverpool idea instead.

> Instead of documenting the release notes in the issue, why not in the codebase?
>
> For instance in [go](https://cs.opensource.google/go/go/+/master:doc/README.md) there is a `doc/next` folder where you add `<pr-number>.md` files which document each pr.
>
> Before the release, a script takes all those files to generate the changelog.
>
> Having them as a file tracked by git, makes them easy to review and to programmatically handle.

Refs: https://codeberg.org/forgejo/discussions/issues/155#issuecomment-1787013
Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3452
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
2024-04-26 08:26:33 +00:00