Commit graph

228 commits

Author SHA1 Message Date
Loïc Dachary
9ce97ac685
test POST /{owner}/{repo}/comments/{id}
Conflicts:
	tests/integration/issue_test.go

(cherry picked from commit 9c14e4f103)
2023-11-26 06:40:03 +01:00
Loïc Dachary
ed87de558f
test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 236c5e172c)
2023-11-26 06:40:03 +01:00
Loïc Dachary
dac56f7ed7
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 49a246f407)
2023-11-26 06:40:03 +01:00
Lunny Xiao
db0d71ec0f
Fix comment permissions (#28213) (#28217)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit dfd511faf3)
2023-11-26 06:35:50 +01:00
Loïc Dachary
a6adf7fc01
Revert "test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 8726ce2635.
2023-11-26 06:34:39 +01:00
Loïc Dachary
8aed1fa594
Revert "test GET /api/v1/repos/{owner}/{repo}/issues/comments/{id}/assets/{attachment_id}"
This reverts commit e02448bbf5.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d0bafb6775
Revert "test {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit f59a6cc0e4.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d8204f3e8f
Revert "test GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 2af5a75d71.
2023-11-26 06:34:39 +01:00
Loïc Dachary
5209a09375
Revert "test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 939a66e25c.
2023-11-26 06:34:39 +01:00
Loïc Dachary
9d8249d9d6
Revert "test POST /{owner}/{repo}/comments/{id}/delete"
This reverts commit d2c16d9c2d.
2023-11-26 06:34:38 +01:00
Loïc Dachary
027e3a7206
Revert "test POST /{owner}/{repo}/comments/{id}"
This reverts commit 0d7893ca8a.
2023-11-26 06:34:38 +01:00
Loïc Dachary
2e1d6d2ef2
Revert "test GET /{owner}/{repo}/comments/{id}/attachments"
This reverts commit 4903135a93.
2023-11-26 06:34:38 +01:00
Loïc Dachary
15cc486204
Revert "test POST /{username}/{reponame}/{tags,release}/delete"
This reverts commit d7b11f5378.
2023-11-26 06:34:37 +01:00
Loïc Dachary
98098de1f7
Revert "test GET /api/v1/repos/{owner}/{repo}/keys/{id}"
This reverts commit d095e4fdc5.
2023-11-26 06:34:37 +01:00
Loïc Dachary
d93f6c153f
Revert "test POST /{username}/{reponame}/{type:issues|pulls}/move_pin"
This reverts commit 1e5940b020.
2023-11-26 06:34:37 +01:00
Loïc Dachary
1e5940b020
test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
2023-11-25 08:08:37 +01:00
Loïc Dachary
d095e4fdc5
test GET /api/v1/repos/{owner}/{repo}/keys/{id}
(cherry picked from commit f5ad29dbc77df834a3b5b9a63b19bca680a9f5ed)
2023-11-25 08:08:37 +01:00
Loïc Dachary
d7b11f5378
test POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98)
2023-11-25 08:08:37 +01:00
Loïc Dachary
4903135a93
test GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
2023-11-25 07:23:34 +01:00
Loïc Dachary
0d7893ca8a
test POST /{owner}/{repo}/comments/{id}
(cherry picked from commit 61db02681a024220d6d2fe61c1479fd03cb341ea)
2023-11-25 07:23:34 +01:00
Loïc Dachary
d2c16d9c2d
test POST /{owner}/{repo}/comments/{id}/delete
(cherry picked from commit 02da8922f1d9ea8e0985b10a3003315f57b14b46)
2023-11-25 07:23:34 +01:00
Loïc Dachary
939a66e25c
test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 11dcaa7ec84bcb2931bfe001d4c6a02c5af4ec5b)
2023-11-25 07:23:33 +01:00
Loïc Dachary
2af5a75d71
test GET /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit 58d923ccbaad1ec12120800b28dbfe6c8c225556)
2023-11-25 07:23:33 +01:00
Loïc Dachary
f59a6cc0e4
test {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit ffcd2e79ac3ef63cd33d3ca9a18dae5f16431e54)
2023-11-25 07:23:33 +01:00
Loïc Dachary
e02448bbf5
test GET /api/v1/repos/{owner}/{repo}/issues/comments/{id}/assets/{attachment_id}
via getIssueCommentSafe

(cherry picked from commit 9a11049715f1194cad777d5dde0ee514fa15d1f1)
2023-11-25 07:23:33 +01:00
Loïc Dachary
8726ce2635
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 362f340ed9ee28627140ca06dd7487a8989ef62b)
2023-11-25 07:23:33 +01:00
Loïc Dachary
5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70)
(cherry picked from commit 13e10a65d9)
(cherry picked from commit 65bdd73cf2)
(cherry picked from commit 64eba8bb92)
(cherry picked from commit 4c49b1a759)
(cherry picked from commit 93b4d06406)
(cherry picked from commit e2bc5f36d9)
(cherry picked from commit 2bee76f9df)
(cherry picked from commit 3d8a1b4a9f)
(cherry picked from commit 99dd092cd0)
(cherry picked from commit 0fdbd02204)
(cherry picked from commit 70b277a183)
(cherry picked from commit 3eece7fbb4)
(cherry picked from commit 4838fc9e11)
(cherry picked from commit b76ed541cf)
(cherry picked from commit dcdfb5b65c)
(cherry picked from commit 377dc48cdc)
(cherry picked from commit acc862f411)
(cherry picked from commit ac75ef101f)
(cherry picked from commit 08f2d9f7c5)
(cherry picked from commit e4096f0b64)
(cherry picked from commit bf5876f062)
(cherry picked from commit 7dc60637e5)
(cherry picked from commit ef3101774b)
(cherry picked from commit ecb9e8867c)
(cherry picked from commit 64f0ae72fe)
(cherry picked from commit 8dd6ec7862)
(cherry picked from commit b36723e52b)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8)
(cherry picked from commit 1d87602819)
(cherry picked from commit 0f72002d66)
(cherry picked from commit da2556eb13)
(cherry picked from commit c01688cd90)
(cherry picked from commit af4bba8329)
(cherry picked from commit 33ca322c2e)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44)
(cherry picked from commit 27c4797c9f)
2023-11-14 13:17:12 +01:00
KN4CK3R
44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Earl Warren
5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
wxiaoguang
9c0380fe84
Avoid double-unescaping of form value (#26853) (#26863)
Backport #26853

The old `prepareQueryArg` did double-unescaping of form value.

(cherry picked from commit e8da63c24e)
2023-09-08 08:09:18 +02:00
KN4CK3R
471138829b
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613

Fixes #25564
Fixes #23191

- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions

(cherry picked from commit 762d4245fb)
2023-08-21 07:27:20 +02:00
Earl Warren
1ffddf75d6
[DB] run all Forgejo migrations in integration tests
The tests at tests/integration/migration-test/migration_test.go will
not run any Forgejo migration when using the gitea-*.sql.gz files
because they do not contain a ForgejoVersion row which is interpreted
as a new Forgejo installation for which there is no need for migration.

Create a situation by which the ForgejoVersion table exists and has a
version of 0 in tests/integration/migration-test/forgejo-v1.19.0.*.sql.gz
thus ensuring all Forgejo migrations are run.

The forgejo*.sql.gz files do not have any Gitea related records, which
will be interpreted by the Gitea migrations as a new installation that
does not need any migration. As a consequence the migration tests run
when using forgejo-v1.19.0.*.sql.gz are exclusively about Forgejo
migrations.

(cherry picked from commit ec8003859c)
2023-08-21 07:22:18 +02:00
Earl Warren
d83135c204
Revert "[GITEA] Use join for the deleting issue actions query"
This reverts commit 9b71369be9.
2023-08-21 07:22:17 +02:00
Earl Warren
20557c6bdb
[BRANDING] define the forgejo webhook type
templates/swagger/v1_json.tmpl updated with `make generate-swagger`

(cherry picked from commit 88899c492e)
(cherry picked from commit 7171bd9617)
(cherry picked from commit 1a742446c1)
(cherry picked from commit d7c189d7b2)

Conflicts:
	routers/web/web.go
(cherry picked from commit cbdea868e4)
(cherry picked from commit 6cd150483b)
(cherry picked from commit 47246da8d3)
(cherry picked from commit f2aa0e6b76)
(cherry picked from commit 5a4fc69a16)
(cherry picked from commit 48e444ca09)
(cherry picked from commit 888e537811)
(cherry picked from commit 5121f493c9)
(cherry picked from commit 9394e55fdf)
(cherry picked from commit 3a2ce51768)
(cherry picked from commit 719ead3a65)
(cherry picked from commit 83e6f82e2a)
(cherry picked from commit 494a429b21)
(cherry picked from commit 4d775db6b4)
(cherry picked from commit b68f777dc2)
(cherry picked from commit 5b934023fa)
(cherry picked from commit 3b1ed8b16c)
(cherry picked from commit 6bc4a46c9f)
(cherry picked from commit 8064bb24a3)

Conflicts:
	templates/admin/hook_new.tmpl
	templates/org/settings/hook_new.tmpl
	templates/repo/settings/webhook/base_list.tmpl
	templates/repo/settings/webhook/new.tmpl
	templates/user/settings/hook_new.tmpl
	https://codeberg.org/forgejo/forgejo/pulls/1181

(cherry picked from commit 55f5588a91)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/1219
2023-08-21 07:22:16 +02:00
Earl Warren
c862cc15c8
Revert "[BRANDING] define the forgejo webhook type"
This reverts commit 02ba08ca84.
2023-08-21 07:22:16 +02:00
JakobDev
d89003cc1b Fix API leaking Usermail if not logged in (#25097)
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit ea385f5d39)
2023-08-05 11:43:54 +00:00
Gusted
5f769ef20d [GITEA] Show manual cron run's last time
- Currently in the cron tasks, the 'Previous Time' only displays the
previous time of when the cron library executes the function, but not
any of the manual executions of the task.
- Store the last run's time in memory in the Task struct and use that,
when that time is later than time that the cron library has executed this
task.
- This ensures that if an instance admin manually starts a task, there's
feedback that this task is/has been run, because the task might be run
that quick, that the status icon already has been changed to an
checkmark,
- Tasks that are executed at startup now reflect this as well, as the
time of the execution of that task on startup is now being shown as
'Previous Time'.
- Added integration tests for the API part, which is easier to test
because querying the HTML table of cron tasks is non-trivial.
- Resolves https://codeberg.org/forgejo/forgejo/issues/949
- Backport #1087
2023-07-31 18:34:14 +00:00
Gusted
9b71369be9 [GITEA] Use join for the deleting issue actions query
- The action tables can become very large as it's a dumpster for every
action that an user does on an repository.
- The following query: `DELETE FROM action WHERE comment_id IN (SELECT id FROM comment WHERE
issue_id=?)` is not using indexes for `comment_id` and is instead using
an full table scan by MariaDB.
- Rewriting the query to use an JOIN will allow MariaDB to use the
index.
- More information: https://codeberg.org/Codeberg-Infrastructure/techstack-support/issues/9
- Backport https://codeberg.org/forgejo/forgejo/pulls/1154
2023-07-31 10:14:30 +00:00
Giteabot
5afb0294f4
Fix access check for org-level project (#26182) (#26223)
Backport #26182 by @Zettat123

Fix #25934

Add `ignoreGlobal` parameter to `reqUnitAccess` and only check global
disabled units when `ignoreGlobal` is true. So the org-level projects
and user-level projects won't be affected by global disabled
`repo.projects` unit.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 3a29712e0a)
2023-07-30 07:46:19 +02:00
Giteabot
7bb8526736
Fix handling of plenty Nuget package versions (#26075) (#26173)
Backport #26075 by @KN4CK3R

Fixes #25953

- Do not load full version information (v3)
- Add pagination support (v2)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 54614767a2)
2023-07-30 07:46:18 +02:00
Giteabot
df5200e814
Remove "misc" scope check from public API endpoints (#26134) (#26149)
Backport #26134 by @wxiaoguang

Fix #26035

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a8445e9320)
2023-07-26 13:51:46 +02:00
Earl Warren
bbc3426c53
Revert "[GITEA] do not enforce misc scope tokens for public API endpoints"
This reverts commit 666f43fb64.
2023-07-26 13:51:06 +02:00
Giteabot
4be3270e87
Fix handling of Debian files with trailing slash (#26087) (#26098)
Backport #26087 by @KN4CK3R

Fixes #26022

- Fix handling of files with trailing slash
- Fix handling of duplicate package file errors
- Added test for both

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a424f6d4f8)
2023-07-26 13:49:15 +02:00
Giteabot
2a4dcad472
Fix version in rpm repodata/primary.xml.gz (#26009) (#26048)
Co-authored-by: Peter Verraedt <peter.verraedt@gmail.com>
(cherry picked from commit 81f5a87eb4)
2023-07-24 07:59:10 +02:00
Giteabot
3d033a3aa7
Make pending commit status yellow again (#25935) (#25968)
Backport #25935 by @silverwind

With the introduction of Actions, the pending commit icon has changed
from yellow to grey for Drone integrations which never set the "running"
status, so it stays in "pending" until completion.

I find it better to have this icon colored like on 1.19. Now both the
"pending" and "running" icons look the same, but I guess we could add an
animation to the "running" state similar to GitHub has to it later.

Before:
<img width="339" alt="Screenshot 2023-07-17 at 19 14 19"
src="https://github.com/go-gitea/gitea/assets/115237/2f4886e4-74fd-42ea-b59e-9af8f141bf1f">

After:
<img width="335" alt="Screenshot 2023-07-17 at 19 14 30"
src="https://github.com/go-gitea/gitea/assets/115237/53189642-e72d-47f6-9cbe-f14eda28f730">

Also, it matches GH's icon:

<img width="466" alt="image"
src="https://github.com/go-gitea/gitea/assets/115237/5804ff90-d223-4a3c-8093-7a9abbaacf87">

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 864bdd0ac8)
2023-07-24 07:58:56 +02:00
Loïc Dachary
666f43fb64
[GITEA] do not enforce misc scope tokens for public API endpoints
(cherry picked from commit e353d1c4b7)
2023-07-23 22:35:11 +02:00
Earl Warren
1371196064
Merge remote-tracking branch 'forgejo/v1.20/forgejo-moderation' into v1.20/forgejo 2023-07-17 08:01:23 +02:00
Gusted
73776d6195
[MODERATION] add user blocking API
- Follow up for: #540, #802
- Add API routes for user blocking from user and organization
perspective.
- The new routes have integration testing.
- The new model functions have unit tests.
- Actually quite boring to write and to read this pull request.

(cherry picked from commit f3afaf15c7)
(cherry picked from commit 6d754db3e5)
(cherry picked from commit d0fc8bc9d3)
(cherry picked from commit 9a53b0d1a0)
(cherry picked from commit 44a2a4fd48)
(cherry picked from commit 182025db9c)
(cherry picked from commit 558a35963e)
2023-07-17 00:26:42 +02:00