Commit Graph

16859 Commits

Author SHA1 Message Date
6543
4435d8a4b6
Fix XSS vulnerabilities (#29336)
- The Wiki page did not sanitize author name
- the reviewer name on a "dismiss review" comment is also affected
- the migration page has some spots

---------

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 23:37:21 +01:00
Giteabot
6ca8cb590d
Don't show third-party JS errors in production builds (#29303) (#29333)
Backport #29303 by @silverwind

So we don't get issues like
https://github.com/go-gitea/gitea/issues/29080 and
https://github.com/go-gitea/gitea/issues/29273 any more. Only active in
[production
builds](https://webpack.js.org/guides/production/#specify-the-mode), in
non-production the errors will still show.

Co-authored-by: silverwind <me@silverwind.io>
2024-02-22 22:49:07 +01:00
6543
65e2811859
Remove SSH workaround (#27893) (#29332)
Backport #27893

- Update github.com/gliderlabs/ssh to include
02f9d57300.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1230

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
2024-02-22 21:45:31 +01:00
Giteabot
b78f5fc60f
Only log error when tag sync fails (#29295) (#29327)
Backport #29295 by @lunny

Fix #28843

This PR will bypass the pushUpdateTag to database failure when
syncAllTags. An error log will be recorded.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-22 20:52:54 +01:00
wxiaoguang
511298e452
Use general token signing secret (#29205) (#29325)
Backport #29205 (including #29172)

Use a clearly defined "signing secret" for token signing.
2024-02-22 17:07:41 +00:00
Lunny Xiao
7ea2ffaf16
Fix SSPI user creation (#28948) (#29323)
Fixes #28945
Backport #28948

Setting the avatar is wrong and creating a random password is equal to
leave it empty.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-22 17:42:14 +01:00
Giteabot
fdb0d03083
Improve the issue_comment workflow trigger event (#29277) (#29322)
Backport #29277 by @Zettat123

Fix #29175
Replace #29207

This PR makes some improvements to the `issue_comment` workflow trigger
event.

1. Fix the bug that pull requests cannot trigger `issue_comment`
workflows
2. Previously the `issue_comment` event only supported the `created`
activity type. This PR adds support for the missing `edited` and
`deleted` activity types.
3. Some events (including `issue_comment`, `issues`, etc. ) only trigger
workflows that belong to the workflow file on the default branch. This
PR introduces the `IsDefaultBranchWorkflow` function to check for these
events.

Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-02-22 17:19:48 +01:00
Giteabot
ed5e0c8c27
Discard unread data of git cat-file (#29297) (#29310)
Backport #29297 by @KN4CK3R

Fixes #29101
Related #29298

Discard all read data to prevent misinterpreting existing data. Some
discard calls were missing in error cases.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: yp05327 <576951401@qq.com>
2024-02-22 04:23:38 +00:00
yp05327
0870e0bc9b
Implement some action notifier functions (#29173) (#29308)
Backport #29173

Fix #29166

Add support for the following activity types of `pull_request`
- assigned
- unassigned
- review_requested
- review_request_removed
- milestoned
- demilestoned
2024-02-22 03:55:03 +00:00
KN4CK3R
c0b97d0485
Prevent double use of git cat-file session. (#29298) (#29301)
Backport #29298
Fixes the reason why #29101 is hard to replicate.
Related #29297

Create a repo with a file with minimum size 4097 bytes (I use 10000) and
execute the following code:
```go
gitRepo, err := gitrepo.OpenRepository(db.DefaultContext, <repo>)
assert.NoError(t, err)

commit, err := gitRepo.GetCommit(<sha>)
assert.NoError(t, err)

entry, err := commit.GetTreeEntryByPath(<file>)
assert.NoError(t, err)

b := entry.Blob()

// Create a reader
r, err := b.DataAsync()
assert.NoError(t, err)
defer r.Close()

// Create a second reader
r2, err := b.DataAsync()
assert.NoError(t, err) // Should be no error but is ErrNotExist
defer r2.Close()
```

The problem is the check in `CatFileBatch`:


79217ea63c/modules/git/repo_base_nogogit.go (L81-L87)
`Buffered() > 0` is used to check if there is a "operation" in progress
at the moment. This is a problem because we can't control the internal
buffer in the `bufio.Reader`. The code above demonstrates a sequence
which initiates an operation for which the code thinks there is no
active processing. The second call to `DataAsync()` therefore reuses the
existing instances instead of creating a new batch reader.
2024-02-22 03:20:20 +00:00
yp05327
f80ea95eb5
Fix gitea-action user avatar broken on edited menu (#29190) (#29307)
Backport #29190

Fix #29178
2024-02-22 02:53:38 +00:00
Zettat123
dcb9c38568
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140 

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075
2024-02-22 03:32:54 +01:00
wxiaoguang
c4a86b20a4
Fix missing link on outgoing new release notifications (#29079) (#29300)
Backport #29079

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-21 19:01:48 +00:00
wxiaoguang
f634982d23
Fix debian InRelease Acquire-By-Hash newline (#29204) (#29299)
Backport #29204

Co-authored-by: Robin Schoonover <robin@cornhooves.org>
2024-02-21 19:40:16 +01:00
wxiaoguang
9379352db6
Always write proc-receive hook for all git versions (#29287) (#29291)
Backport #29287
2024-02-21 12:08:34 +01:00
Zettat123
e940443b27
Do not show delete button when time tracker is disabled (#29257) (#29279)
Backport #29257 
Fix #29233

The delete button of time logs won't be shown when the time tracker is
disabled.
 

![image](https://github.com/go-gitea/gitea/assets/15528715/5cc4e0c9-d2f9-4b8f-a2f5-fe202b94c191)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-20 09:11:01 +00:00
Lunny Xiao
2762921e73
Fix missed edit issues event for actions (#29237) (#29251)
Fix #29213
Backport #29237
2024-02-20 11:13:05 +08:00
Markus Amshove
78f41e4fc4
Disallow merge when required checked are missing (#29143) (#29268)
backport #29143

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-19 20:48:17 +00:00
6543
c01b266d86
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*
2024-02-19 16:48:58 +00:00
Lunny Xiao
e2eac7574f
Fix bug when the linked account was disactived and list the linked accounts (#29263)
The bug has been fixed on v1.22 but not backport to v1.21.
This original PR have many refactors so I don't think it's necessary to
backport all of them.

Fix #28667
2024-02-19 15:23:47 +00:00
Km
5b8b22bd75
Explained where create issue/PR template (#29035)
For some user (as me), documentation lack of precision about where to
store issue/pr template.

I propose an enhancement about this point. With bold exergue and
precision about server itself.

I've found some user with same interrogation as :
https://forum.gitea.com/t/issue-template-directory/3328

---------

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-02-19 15:57:25 +01:00
Jason Song
f79530c50e
Do not use lower tag names to find releases/tags (#29261) (#29262)
Backport #29261.

Fix #26090, see
https://github.com/go-gitea/gitea/issues/26090#issuecomment-1952013206

Since `TagName` stores the original tag name and `LowerTagName` stores
the lower tag name, it doesn't make sense to use lowercase tags as
`TagNames` in `FindReleasesOptions`.

5e72526da4/services/repository/push.go (L396-L397)

While the only other usage looks correct:

5e72526da4/routers/web/repo/repo.go (L416)
2024-02-19 10:09:36 +00:00
Tim-Nicas Oelschläger
39735c43a8
Convert visibility to number (#29226) (#29244)
Backport #29226

Don't throw error while creating user (Fixes #29218)

---

The backport info from Giteabot
https://github.com/go-gitea/gitea/pull/29226#issuecomment-1951341322
needs to specify the version, because the default is v1.18
2024-02-18 18:51:00 +00:00
Jimmy Praet
3604b7d8ad
Load outdated comments when (un)resolving conversation on PR timeline (#29203) (#29221)
Backport #29203

Relates to #28654, #29039 and #29050.

The "show outdated comments" flag should only apply to the file diff
view.
On the PR timeline, outdated comments are always shown. So they should
also be loaded when (un)resolving a conversation on the timeline page.
2024-02-18 06:58:26 +00:00
wxiaoguang
d41d367c35
Make submit event code work with both jQuery event and native event (#29223) (#29234)
Backport #29223 (no conflict)
2024-02-18 06:36:41 +00:00
Zettat123
7e0299b4fd
Only delete scheduled workflows when needed (#29091) (#29235)
Backport #29091 

Fix #29040

`handleSchedules` should be called only if `DetectWorkflows` should
detect schedule workflows
2024-02-18 14:31:05 +08:00
Lunny Xiao
933cc4da64
Fix push to create with capitalize repo name (#29090) (#29206)
Fix #29073
Backport #29090

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-17 12:06:55 +00:00
Lunny Xiao
fea6bd130e
rm outdated docs from some languages (#27530) (#29208)
backport #27530 to make pull request lint happy
https://github.com/go-gitea/gitea/actions/runs/7939560756/job/21679856929?pr=29206
since #29106

---------

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
2024-02-17 12:44:33 +01:00
wxiaoguang
906a722fca
Refactor git version functions and check compatibility (#29155) (#29157)
Backport #29155 with an extra change: tolerate the git 2.43.1 GIT_FLUSH
bug in Gitea 1.21.x, more details in the comment of repo_attribute.go

Manually tested with git 2.43.1 and an old git (2.39.2)
2024-02-17 02:47:18 +00:00
silverwind
8cd83ff391
Rework spellchecking, add lint-spell (#29112)
Backport clean cherry-picks of
9c39f8515f
and
c7a21cbb0c
onto 1.21.

- Use maintained fork https://github.com/golangci/misspell
- Rename `mispell-check` to `lint-spell`, add `lint-spell-fix`
- Run `lint-spell` in separate actions step
- Lint more files, fix discovered issues
- Remove inaccurate and outdated info in docs (we do not need GOPATH for
tools anymore)

Maybe later we can add more spellchecking tools, but I have not found
any good ones yet.
2024-02-16 02:42:26 +00:00
KN4CK3R
d823465d94
Use ghost user if user was not found (#29161) (#29169)
Backport #29161
2024-02-14 12:51:51 -05:00
wxiaoguang
dd8bc1d61d
Refactor issue template parsing and fix API endpoint (#29069) (#29140)
Backport #29069

The old code `GetTemplatesFromDefaultBranch(...) ([]*api.IssueTemplate,
map[string]error)` doesn't really follow Golang's habits, then the
second returned value might be misused. For example, the API function
`GetIssueTemplates` incorrectly checked the second returned value and
always responds 500 error.

This PR refactors GetTemplatesFromDefaultBranch to
ParseTemplatesFromDefaultBranch and clarifies its behavior, and fixes
the API endpoint bug, and adds some tests.

And by the way, add proper prefix `X-` for the header generated in
`checkDeprecatedAuthMethods`, because non-standard HTTP headers should
have `X-` prefix, and it is also consistent with the new code in
`GetIssueTemplates`
2024-02-14 01:32:31 +00:00
6543
0ac3186267
Dont load Review if Comment is CommentTypeReviewRequest (#28551) (#29160)
Backport #28551

RequestReview get deleted on review.
So we don't have to try to load them on comments.
2024-02-13 23:29:33 +01:00
wxiaoguang
732d511e04
Refactor parseSignatureFromCommitLine (#29054) (#29108)
Backport #29054. Fix #28840

This backport is for 1.21 only and it is different from the change in
1.22: this backport still accept the legacy date format to avoid
breaking.
2024-02-09 10:26:43 +01:00
CEnnis91
1aaeec6da7
Fix swift packages not resolving (#29095) (#29102) 2024-02-08 18:26:54 +00:00
CEnnis91
315155fab0
Fix incorrect link to swift doc and swift package-registry login command (#29096) (#29103) 2024-02-08 18:05:10 +00:00
Giteabot
9a4d283e9a
Avoid showing unnecessary JS errors when there are elements with different origin on the page (#29081) (#29089)
Backport #29081 by wxiaoguang

Try to fix #29080

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-08 02:48:06 +00:00
Giteabot
fb7f28e9a7
Fix gitea-origin-url with default ports (#29085) (#29088)
Backport #29085 by @silverwind

When setting `url.host` on a URL object with no port specified (like is
the case of default port), the resulting URL's port will not change.
Workaround this quirk in the URL standard by explicitely setting port
for the http and https protocols.

Extracted the logic to a function for the purpose of testing. Initially
I wanted to have the function in utils.js, but it turns out esbuild can
not treeshake the unused functions which would result in the
webcomponents chunk having all 2kB utils.js inlined, so it seemed not
worth.

Fixes: https://github.com/go-gitea/gitea/issues/29084

Co-authored-by: silverwind <me@silverwind.io>
2024-02-08 02:41:49 +00:00
Giteabot
c9b2aaed0e
Improve user experience for outdated comments (#29050) (#29086)
Backport #29050 by wxiaoguang

Try to improve #28949

1. Make `ctx.Data["ShowOutdatedComments"] = true` by default: it brings
consistent user experience, and sometimes the "outdated (source
changed)" comments are still valuable.
2. Show a friendly message if the comment won't show, then the end users
won't fell that "the comment disappears" (it is the special case when
`ShowOutdatedComments = false`)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-08 10:29:54 +08:00
wxiaoguang
19a08c7fe2
Fix orgmode link resolving (#29024) (#29076)
Backport #29024
Also backport #27968 (remove unnecessary titles)

Fix #28974

Add some new tests and fix some legacy unclear tests.
2024-02-07 17:24:28 +00:00
Giteabot
f0d34cd3b9
fix: Elasticsearch: Request Entity Too Large #28117 (#29062) (#29075)
Backport #29062 by @inferno-umar

Fix for gitea putting everything into one request without batching and
sending it to Elasticsearch for indexing as issued in #28117

This issue occured in large repositories while Gitea tries to 
index the code using ElasticSearch.

Co-authored-by: dark-angel <70754989+inferno-umar@users.noreply.github.com>
2024-02-07 17:21:28 +08:00
Giteabot
7ed79b748f
Hide code links on release page if user cannot read code (#29064) (#29066)
Backport #29064 by @wolfogre

On the release list page, if the user doesn't have the permission to
read code, the code links will lead to 404 pages or api errors:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a74fbc63-6dd6-43c6-853c-28acdbfdcb4e">


After this PR:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a626373d-c2df-40a9-8fed-1b12ff6bc56f">

And this PR also removed some dead code. After #23465, the tag list page
has an independent template, and all `IsTag` in the release list
template are always false.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-02-06 21:36:56 +08:00
Wang
b9b2ae214d
Fix typos in the documentation (#29048) (#29056)
Backport #29048

Corrected two typos.
2024-02-05 21:15:49 +08:00
Giteabot
aadbbf4358
Do not render empty comments (#29039) (#29049)
Backport #29039 by wxiaoguang

Follow #28654

The `comments` might be empty, so the templates shouldn't (and couldn't)
use it to render. When there is no comment, the UI should also be
updated to empty, so returning an empty body is good enough.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-04 13:25:58 +00:00
Km
8e957e5f1d
labels and licenses are directories (#29037)
Be more explicit about custom path relative to licences and labels
content
2024-02-03 18:11:41 -05:00
Giteabot
8def405047
Avoid sending update/delete release notice when it is draft (#29008) (#29025)
Backport #29008 by @yp05327

Fix #27157

Co-authored-by: yp05327 <576951401@qq.com>
2024-02-02 09:37:37 +00:00
Giteabot
5ac41026f9
Wrap contained tags and branches again (#29021) (#29026)
Backport #29021 by @delvh

Fixes #29016

## After


![grafik](https://github.com/go-gitea/gitea/assets/51889757/2c72ee8f-439e-4328-85df-77772e0f4aef)

Co-authored-by: delvh <dev.lh@web.de>
2024-02-02 16:05:47 +08:00
Giteabot
333d02ddfd
Fix incorrect button CSS usages (#29015) (#29023)
Backport #29015 by @wxiaoguang

Fix 2 problems:

1. Remove the legacy (non-existing) CSS: `class="btn btn-gray
btn-radius"`
2. Remove the button styles inside the `ui message`, according to:
https://fomantic-ui.com/collections/message.html , the button shouldn't
have any border/padding.

### Before


![image](https://github.com/go-gitea/gitea/assets/2114189/4c7e98e2-4e8a-493f-9b7e-446a365066a1)



![image](https://github.com/go-gitea/gitea/assets/2114189/05221251-7a79-4c96-8973-fb4588275672)

### After



![image](https://github.com/go-gitea/gitea/assets/2114189/8bc3edbc-42a6-40bd-85fd-de40e94841d4)


![image](https://github.com/go-gitea/gitea/assets/2114189/93f69143-d835-437c-b5eb-0f6dddde97a1)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-02 01:10:23 +01:00
Giteabot
5d1abdce3e
Strip trailing newline in markdown code copy (#29019) (#29022)
Behaviour now matches GH. Safeguard added in the for loop because
`textContent` may be null in which case it does not make sense to render
the copy button.

Co-authored-by: silverwind <me@silverwind.io>
2024-02-01 21:06:21 +00:00
Lunny Xiao
2588d73ebf
Add changelog for 1.21.5 (#28992)
As title.
2024-02-01 11:02:41 +00:00