Commit graph

16110 commits

Author SHA1 Message Date
Loïc Dachary
e291ea5e33
fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 51c280e877765efe721e607aa95bcbb5aef364e0)
2023-11-25 07:23:33 +01:00
Loïc Dachary
8726ce2635
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 362f340ed9ee28627140ca06dd7487a8989ef62b)
2023-11-25 07:23:33 +01:00
Loïc Dachary
3ddfca10ac
fix API usage of a PR index in place of issue index and vice versa
(cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344)
2023-11-25 07:23:32 +01:00
Loïc Dachary
6b4cb070cc
enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues
(cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015)
2023-11-25 07:23:32 +01:00
Loïc Dachary
c70eb32280
enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned
(cherry picked from commit 00fad97fc1b27db40a002c9ab3f709d04dc2cdd1)
2023-11-25 07:23:32 +01:00
Giteabot
c0ccd4c2d7
Fix no ActionTaskOutput table waring (#28149) (#28151)
Backport #28149 by @yp05327

Reproduce:
- Create a new Gitea instance
- Register a runner
- Create a repo and add a workflow
- Check the log, you will see warnings:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f1278e0-114b-48bc-8113-8ba1404d9975)
It comes from:

![image](https://github.com/go-gitea/gitea/assets/18380374/c2807831-e137-4229-9536-87f6114c8a5b)

The reason is that we forgot registering `ActionTaskOutput` model.
So `action_table_output` table will be missing in your db.

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 41b2d0be93)
2023-11-22 17:23:43 +01:00
Giteabot
f302373eb4
Restricted users only see repos in orgs which their team was assigned to (#28025) (#28050)
Backport #28025 by @6543

---
*Sponsored by Kithara Software GmbH*

Co-authored-by: 6543 <m.huber@kithara.com>
(cherry picked from commit 439e071acf)
2023-11-22 17:23:33 +01:00
Loïc Dachary
5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70)
(cherry picked from commit 13e10a65d9)
(cherry picked from commit 65bdd73cf2)
(cherry picked from commit 64eba8bb92)
(cherry picked from commit 4c49b1a759)
(cherry picked from commit 93b4d06406)
(cherry picked from commit e2bc5f36d9)
(cherry picked from commit 2bee76f9df)
(cherry picked from commit 3d8a1b4a9f)
(cherry picked from commit 99dd092cd0)
(cherry picked from commit 0fdbd02204)
(cherry picked from commit 70b277a183)
(cherry picked from commit 3eece7fbb4)
(cherry picked from commit 4838fc9e11)
(cherry picked from commit b76ed541cf)
(cherry picked from commit dcdfb5b65c)
(cherry picked from commit 377dc48cdc)
(cherry picked from commit acc862f411)
(cherry picked from commit ac75ef101f)
(cherry picked from commit 08f2d9f7c5)
(cherry picked from commit e4096f0b64)
(cherry picked from commit bf5876f062)
(cherry picked from commit 7dc60637e5)
(cherry picked from commit ef3101774b)
(cherry picked from commit ecb9e8867c)
(cherry picked from commit 64f0ae72fe)
(cherry picked from commit 8dd6ec7862)
(cherry picked from commit b36723e52b)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8)
(cherry picked from commit 1d87602819)
(cherry picked from commit 0f72002d66)
(cherry picked from commit da2556eb13)
(cherry picked from commit c01688cd90)
(cherry picked from commit af4bba8329)
(cherry picked from commit 33ca322c2e)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44)
(cherry picked from commit 27c4797c9f)
2023-11-14 13:17:12 +01:00
Giteabot
d7408d8b0b
Dont leak private users via extensions (#28023) (#28028)
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

(cherry picked from commit 69ea554e23)
2023-11-14 13:17:12 +01:00
Nanguan Lin
6dfe993913
Fix wrong xorm Delete usage(backport for 1.20) (#28003)
manually backport for https://github.com/go-gitea/gitea/pull/27995
The conflict is `ctx` and `db.Defaultctx`.

(cherry picked from commit c077a084d7)
2023-11-14 13:17:12 +01:00
Giteabot
1bbc1adcdc
Render email addresses as such if followed by punctuation (#27987) (#27991)
Backport #27987 by @yardenshoham

Added the following characters to the regular expression for the email:

- ,
- ;
- ?
- !

Also added a test case.

- Fixes #27616

# Before

![image](https://github.com/go-gitea/gitea/assets/20454870/c57eac26-f281-43ef-a51d-9c9a81b63efa)

# After

![image](https://github.com/go-gitea/gitea/assets/20454870/fc7d5c08-4350-4af0-a7f0-d1444d2d75af)

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Yarden Shoham <git@yardenshoham.com>
(cherry picked from commit dfd960f22a)
2023-11-14 13:17:12 +01:00
Nanguan Lin
d610ea3fbb
Remove duplicated button in Install web page (#27941)
Fix #27934
Regression #25648

(cherry picked from commit 2978b435bb)
2023-11-14 13:17:12 +01:00
KN4CK3R
44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Giteabot
1fd3cc3217
Fix DownloadFunc when migrating releases (#27887) (#27889)
Backport #27887 by @Zettat123

We should not use `asset.ID` in DownloadFunc because DownloadFunc is a
closure.

1bf5527eac/services/migrations/gitea_downloader.go (L284-L295)

A similar bug when migrating from GitHub has been fixed in #14703. This
PR fixes the bug when migrating from Gitea and GitLab.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 4a48370d91)
2023-11-14 13:17:12 +01:00
Lunny Xiao
f2c3491b61
Fix http protocol auth (#27875) (#27878)
backport #27875

(cherry picked from commit 1dedf9bba0)
2023-11-14 13:17:12 +01:00
Giteabot
713652e3d8
Fix package webhook (#27839) (#27854)
Backport #27839 by @lunny

Fix #23742

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 2147bfde05)
2023-11-14 13:17:12 +01:00
Lunny Xiao
b4fb797b32
Revert "fix orphan check for deleted branch (#27310) (#27320)" (#27763)
Because branch table is created until 1.21
Fix #27508

(cherry picked from commit a1c232cae3)
2023-11-14 13:17:12 +01:00
Giteabot
2a5d5da930
Fix label render containing invalid HTML (#27752) (#27761)
Backport #27752 by @earl-warren

- The label HTML contained a quote that wasn't being closed.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1651

(cherry picked from commit e2bc2c9a1f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 63512cd15d)
2023-11-14 13:17:12 +01:00
Giteabot
64373004b5
Fix org team endpoint (#27721) (#27729)
Backport #27721 by @lng2020

Fix #27711

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 71803d33e3)
2023-11-14 13:17:11 +01:00
Giteabot
2a321fcfda
Adapt .changelog.yml to new labeling system (#27701) (#27708)
Backport #27701 by @delvh

Otherwise, it is not possible anymore to generate changelogs.

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit a954cc3fb9)
2023-11-14 13:17:11 +01:00
Giteabot
d6798ae015
Support allowed hosts for webhook to work with proxy (#27655) (#27674)
Backport #27655 by @wolfogre

When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit ca4418eff1)
2023-11-14 13:17:11 +01:00
Giteabot
cf1174acbf
Fix poster is not loaded in get default merge message (#27657) (#27665)
Backport #27657 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 80c0c88152)
2023-11-14 13:17:11 +01:00
Giteabot
62c33f92a9
Fix 404 when deleting Docker package with an internal version (#27615) (#27629)
Backport #27615 by @lng2020

close #27601
The Docker registry has an internal version, which leads to 404

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 171950a0d4)
2023-11-14 13:17:11 +01:00
Giteabot
f142ae18c0
Fix attachment download bug (#27486) (#27570)
Backport #27486 by @lunny

Fix #27204

This PR allows `/<username>/<reponame>/attachments/<uuid>` access with
personal access token and also changed attachments API download url to
it so it can be download correctly.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 7b96f71bc7)
2023-11-14 13:17:11 +01:00
yp05327
2e50870688
Avoid run change title process when the title is same (#27467) (#27557)
Backport #27467 manually.

(cherry picked from commit e6d1afaee3)
2023-11-14 13:17:11 +01:00
silverwind
2716e2f626
Fix mermaid flowchart margin issue (#27503) (#27517)
Backport https://github.com/go-gitea/gitea/pull/27503 to 1.20

Fixes: https://github.com/go-gitea/gitea/issues/27435
Related: https://github.com/mermaid-js/mermaid/issues/4907

<img width="924" alt="image"

src="https://github.com/go-gitea/gitea/assets/115237/494a1d2e-4c56-48d0-9843-82a5e5aa977e">

(cherry picked from commit 1d4c193df5)
2023-11-14 13:17:11 +01:00
Giteabot
e0fe8a8ab4
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
(cherry picked from commit 4ffa683820)
2023-11-14 13:17:11 +01:00
Giteabot
c50af699ea
When comparing with an non-exist repository, return 404 but 500 (#27437) (#27441)
Backport #27437 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 973b7f6298)
2023-11-14 13:17:11 +01:00
Lunny Xiao
915c60f8c1
Add 1.20.5 changelog (#27404)
(cherry picked from commit 4126aad4aa)
2023-11-14 13:17:11 +01:00
Earl Warren
a1e6944bd7
Revert "[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP"
This reverts commit 9413fd0274.
2023-11-14 13:17:11 +01:00
Earl Warren
d7e67cf616
[SEMVER] 5.0.6+0-gitea-1.20.5 2023-11-14 13:17:11 +01:00
Earl Warren
ee48c0d5ea
[CI] Forgejo Actions based CI for PR & branches (squash) use node:20-bookworm
No longer use the custom test-env image, it is unecessary technical
debt.

Also upgrade to bitnami/minio:2023.8.31 to align with what Gitea tests

(cherry picked from commit d9b77fd273)

Conflicts:
	.forgejo/workflows/testing.yml
	* mysql was mysql-8 in v1.21 and below
	* No MINIO testing
	* go 1.20 instead of go 1.21
2023-10-20 17:30:34 +02:00
Loïc Dachary
e58e7bf088
[GITEA] rework long-term authentication (squash) add migration
Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
2023-10-05 12:35:59 +02:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Earl Warren
3759c1a7c1
[SEMVER] 5.0.5+0-gitea-1.20.5 2023-10-03 14:49:26 +02:00
Lunny Xiao
4b23f11864
Fix bug of review request number (#27406)
Manually backport #27104 without tests because too many conflicted files
to backport it completely.

(cherry picked from commit 5c96a2be87)
2023-10-03 14:48:40 +02:00
Giteabot
4c21b82e18
Fix git 2.11 error when checking IsEmpty (#27393) (#27396)
Backport #27393 by @wxiaoguang

Fix #27389

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit acedf0f702)
2023-10-03 14:48:40 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot
5e2d16de0e
Add logs for data broken of comment review (#27326) (#27344)
Backport #27326 by @lunny

Fix #27306

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit b6b71c78c4)
2023-10-03 14:48:40 +02:00
Giteabot
101cfc1f82
fix orphan check for deleted branch (#27310) (#27320)
Backport #27310 by @earl-warren

- Modify the deleted branch orphan check to check for the new table
instead.
- Regression from 6e19484f4d
- Resolves https://codeberg.org/forgejo/forgejo/issues/1522

(cherry picked from commit c1d888686f)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 2138661dae)
2023-10-03 14:48:40 +02:00
Giteabot
fa5c61cab7
Fix PushEvent NullPointerException jenkinsci/github-plugin (#27203) (#27249)
Backport #27203 by @Nabapadma-sarker

Fixes #27202

Co-authored-by: Nabapadma-sarker <nabapadmacse1991@gmail.com>
(cherry picked from commit 4b37eb2c23)
2023-10-03 14:48:40 +02:00
Giteabot
ab9b1b850b
Fix z-index on markdown completion (#27237) (#27238)
Backport #27237 by @silverwind

Fixes: https://github.com/go-gitea/gitea/issues/27230

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit dd44c2164e)
2023-10-03 14:48:18 +02:00
Giteabot
c590235171
Update database-preparation and add note re: MariaDB (#27232) (#27235)
Backport #27232 by @techknowlogick

update DB docs per feedback.
https://gitea.com/gitea/gitea-docusaurus/issues/69

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
(cherry picked from commit 2604571993)
2023-10-03 14:48:18 +02:00
KN4CK3R
13423d6eda
Quote table release in sql queries (#27205) (#27219)
Backport of #27205

Fixes #27174

`release` is a reserved keyword in MySql. I can't reproduce the issue on
my setup and we have a test for that code but it seems there can be
setups where it fails.

(cherry picked from commit eae6985b63)
2023-10-03 14:48:18 +02:00
Giteabot
1b1f878204
Fix release URL in webhooks (#27182) (#27184)
Backport #27182 by @jolheiser

Resolves #27180

`URL` points to the API URL, `HTMLURL` points to the web page.

Notably, however, for PRs they are the same URL. I switched them to use
HTMLURL to match the rest of the codebase terminology.

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit d8583edfe7)
2023-10-03 14:48:18 +02:00
Giteabot
f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112)
2023-10-03 14:48:08 +02:00
Giteabot
dc6020645b
Fix successful return value for SyncAndGetUserSpecificDiff (#27152) (#27156)
Backport #27152 by @delvh

A function should not return an error when it is successful.
Otherwise, things like
https://discord.com/channels/322538954119184384/322538954119184384/1153705341620600833
happen…

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 25233a9bdc)
2023-10-03 14:48:08 +02:00
Earl Warren
99a93025d2
[SEMVER] 5.0.4+0-gitea-1.20.4 2023-09-20 12:51:52 +02:00
Giteabot
0d86ea0c43
Improve actions docs related to pull_request event (#27126) (#27145)
Backport #27126 by @Zettat123

Related to #27039

The `ref` property in Gitea Actions is different from GitHub Actions.
This PR improves the documentation to explain the difference.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 7a99c7b83c)
2023-09-20 12:50:46 +02:00
Giteabot
c041114a20
fix pagination for followers and following (#27127) (#27138)
Backport #27127 by @earl-warren

- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1477

(cherry picked from commit c1a136318b)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58)
2023-09-20 12:50:46 +02:00