Commit Graph

13665 Commits

Author SHA1 Message Date
Gusted
03f06d5ac1
Use padded keyid (#22288)
- Followup for #22231 to follow the frontport.
2023-01-02 22:52:05 +01:00
Lunny Xiao
8cd6be1723
Remove ReverseProxy authentication from the API (#22219) (#22252)
backport #22219

Since we changed the /api/v1/ routes to disallow session authentication
we also removed their reliance on CSRF. However, we left the
ReverseProxy authentication here - but this means that POSTs to the API
are no longer protected by CSRF.

Now, ReverseProxy authentication is a kind of session authentication,
and is therefore inconsistent with the removal of session from the API.

This PR proposes that we simply remove the ReverseProxy authentication
from the API and therefore users of the API must explicitly use tokens
or basic authentication.

Replace #22077
Close #22221 
Close #22077 

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
2022-12-30 02:08:16 +02:00
Gusted
f882747209
Fix key signature error page (#22229) (#22231)
- Backport of #22229
- When the GPG key contains an error, such as an invalid signature or an
email address that does not match the user.A page will be shown that
says you must provide a signature for the token.
- This page had two errors: one had the wrong translation key and the
other tried to use an undefined variable
[`.PaddedKeyID`](e81ccc406b/models/asymkey/gpg_key.go (L65-L72)),
which is a function implemented on the `GPGKey` struct, given that we
don't have that, we use
[`KeyID`](e81ccc406b/routers/web/user/setting/keys.go (L102))
which is [the fingerprint of the
publickey](https://pkg.go.dev/golang.org/x/crypto/openpgp/packet#PublicKey.KeyIdString)
and is a valid way for opengpg to refer to a key.

<!--

Please check the following:

1. Make sure you are targeting the `main` branch, pull requests on
release branches are only allowed for bug fixes.
2. Read contributing guidelines:
https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
3. Describe what your pull request does and which issue you're targeting
(if any)

-->
2022-12-28 22:16:18 +02:00
Jason Song
92796dcc8b
Use complete SHA to create and query commit status (#22244) (#22258)
Backport #22244.

Fix #13485.

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-28 11:03:01 +01:00
KN4CK3R
48450939c7
Allow empty assignees on pull request edit (#22150) (#22213)
Backport of #22150

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-22 13:40:54 +01:00
Lauris BH
7dcf9dd4d8
Fix container layer display overflow (#22208) (#22212)
Backport #22208
2022-12-22 19:27:30 +08:00
Lunny Xiao
73189f0a19
Update changelog for 1.17.4 (#22198)
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: John Olheiser <john+github@jolheiser.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
2022-12-21 23:36:07 +02:00
John Olheiser
92f72d678c
fix: update libcurl in docs pipeline (#22205)
Backport https://github.com/go-gitea/gitea/pull/22203

Signed-off-by: jolheiser <john.olheiser@gmail.com>
2022-12-21 14:09:55 -06:00
KN4CK3R
7e26f2b626
Normalize NuGet package version on upload (#22186) (#22201)
Backport of #22186

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-21 12:01:11 -05:00
Lunny Xiao
3d34cdabb9
Disable auto tag to prepare next 1.17 release (#22180)
Disable auto tag so that 1.17 release will not tag `:1`.
2022-12-20 12:14:07 -06:00
Gusted
f51a19c537
Check for zero time instant in TimeStamp.IsZero() (#22171) (#22173)
- Backport of #22171
- Currently, the 'IsZero' function for 'TimeStamp' just checks if the
unix time is zero, which is not the behavior of 'Time.IsZero()', but
Gitea is using this method in accordance with the behavior of
'Time.IsZero()'.
  - Adds a new condition to check for the zero time instant.
- Fixes a bug where non-expiring GPG keys where shown as they expired on
Jan 01, 0001.
  - Related https://codeberg.org/Codeberg/Community/issues/791
2022-12-20 10:07:41 +08:00
Christian Ullrich
068e96fbd2
Do not list active repositories as unadopted (#22034) (#22167)
Backport #22034

This fixes a bug where, when searching unadopted repositories, active
repositories will be listed as well. This is because the size of the
array of repository names to check is larger by one than the
`IterateBufferSize`.

For an `IterateBufferSize` of 50, the original code will pass 51
repository names but set the query to `LIMIT 50`. If all repositories in
the query are active (i.e. not unadopted) one of them will be omitted
from the result. Due to the `ORDER BY` clause it will be the oldest (or
least recently modified) one.

Co-authored-by: Christian Ullrich <christian.ullrich@traditionsa.lu>
2022-12-19 12:48:57 +00:00
zeripath
721e422fa7
Correctly handle moved files in apply patch (#22118) (#22136)
Backport #22118

Moved files in a patch will result in git apply returning:

```
error: {filename}: No such file or directory
```

This wasn't handled by the git apply patch code. This PR adds handling
for this.

Fix #22083

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2022-12-15 10:28:05 -05:00
KN4CK3R
6f323d13dd
Fix condition for is_internal (#22095) (#22131)
Backport of #22095

I changed it to a static condition because it needs a new version of
xorm which is only available in 1.19. This change is valid because
`SearchLatestVersions` is never called to list internal versions and
there will no change to this behaviour in <1.19.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-12-14 12:49:44 -05:00
Lunny Xiao
0e95e7460e
Fix warn in database structs sync (#22111)
Fix #21880
2022-12-13 22:03:14 +08:00
aceArt-GmbH
c057590a3a
Fix sorting admin user list by last login (#22081) (#22106)
Backport of  #22081

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2022-12-13 09:18:20 +08:00
Lunny Xiao
a8534ac4a4
Fix permission check on issue/pull lock (#22114)
Fix #22110
2022-12-12 20:59:28 +01:00
KN4CK3R
e23ad87b55
Workaround for container registry push/pull errors (#21862) (#22069)
Backport of #21862
2022-12-10 08:22:41 -06:00
Jason Song
e93a4a0174
Fix issue/PR numbers (#22037) (#22045)
Backport #22037.

When deleting a closed issue, we should update both `NumIssues`and
`NumClosedIssues`, or `NumOpenIssues`(`= NumIssues -NumClosedIssues`)
will be wrong. It's the same for pull requests.

Releated to #21557.

Alse fixed two harmless problems:

- The SQL to check issue/PR total numbers is wrong, that means it will
update the numbers even if they are correct.
- Replace legacy `num_issues = num_issues + 1` operations with
`UpdateRepoIssueNumbers`.
2022-12-06 22:15:38 +08:00
zeripath
601766d1fa
Handle empty author names (#21902) (#22028)
Backport #21902

Although git does expect that author names should be of the form: `NAME
<EMAIL>` some users have been able to create commits with: `<EMAIL>`

Fix #21900

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
2022-12-06 11:49:28 +08:00
6543
ee6d5124bd
On Tag/Branch Exist Check, dont panic if repo is nil (#21787) (#21789)
Backport #21787

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
2022-12-05 18:20:37 +08:00
Lunny Xiao
8188cdfcd2
Fix ListBranches to handle empty case (#21921) (#22025)
Fix #21910
Backport #21921

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2022-12-04 23:57:33 +02:00
Xinyu Zhou
82d50af721
Fix button in branch list, avoid unexpected page jump before restore branch actually done (#21562) (#21927)
Backport #21562

Signed-off-by: Xinyu Zhou <i@sourcehut.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
2022-11-25 00:02:42 +08:00
Xinyu Zhou
6117c8b15a
Fix vertical align of committer avatar rendered by email address (#21884) (#21919)
Backport #21884

Committer avatar rendered by `func AvatarByEmail` are not vertical align
as `func Avatar` does.

- Replace literals `ui avatar` and `ui avatar vm` with the constant
`DefaultAvatarClass`

Signed-off-by: Xinyu Zhou <i@sourcehut.net>
2022-11-23 22:00:43 -06:00
KN4CK3R
ba16df8da3
Fix setting HTTP headers after write (#21833) (#21874)
Backport #21833
2022-11-20 20:14:27 +00:00
KN4CK3R
87630a6583
Do not allow Ghost access to limited visible user/org (#21849) (#21875)
Backport of #21849

Co-authored-by: Lauris BH <lauris@nix.lv>
2022-11-20 14:35:26 +02:00
Gusted
56716f5834
Prevent dangling user redirects (#21856) (#21859)
- Backport #21856
- It's possible that the `user_redirect` table contains a user id that
no longer exists.
  - Delete a user redirect upon deleting the user.
- Add a check for these dangling user redirects to check-db-consistency.
2022-11-18 22:24:49 +08:00
zeripath
65b5c8e532
Fix enabling partial clones on 1.17 (#21809)
When backporting #20902 in #21058 there was a slight misbackport. It was
missed that we needed to remove the global command option before setting
the settings.

Fix #21805

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-11-14 15:58:11 +08:00
zeripath
9dc53ba65f
Prevent panic in doctor command when running default checks (#21791) (#21808)
Backport #21791

There was a bug introduced in #21352 due to a change of behaviour caused
by #19280. This causes a panic on running the default doctor checks
because the panic introduced by #19280 assumes that the only way
opts.StdOut and opts.Stderr can be set in RunOpts is deliberately.
Unfortunately, when running a git.Command the provided RunOpts can be
set, therefore if you share a common set of RunOpts these two values can
be set by the previous commands.

This PR stops using common RunOpts for the commands in that doctor check
but secondly stops RunCommand variants from changing the provided
RunOpts.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-11-13 22:43:40 +00:00
Gusted
d25c74f353
Upgrade golang.org/x/crypto (#21792) (#21794)
- Backport #21792
- Update the crypto dependency to include
6fad3dfc18
  - Resolves #17798

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2022-11-12 23:43:43 -05:00
Jason Song
795913e3c7
Load GitRepo in API before deleting issue (#21720) (#21795)
Backport #21720.

Fix #20921.

The `ctx.Repo.GitRepo` has been used in deleting issues when the issue
is a PR.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
2022-11-12 22:13:31 -06:00
silverwind
e609ef9585
Ignore line anchor links with leading zeroes (#21728) (#21777) 2022-11-11 11:45:40 -05:00
Xinyu Zhou
f321cdced7
Add HEAD fix to gitea doctor (#21352) (#21751)
Backport #21352

Due to a bug in presumably an older version of Gitea, multiple of my
repositories still have their HEADs pointing to a `master` branch while
the default branch on the UI is listed as `main`. This adds a `gitea
doctor` command that will fix all of the HEAD references for repos when
they're not synchronized with the default branch in the DB.

This will help with cloning to ensure that git automatically checks out
the right branch, instead of a nonexistent one.

Note: I'm not sure if I actually need to do more other than add a file
here. Will try testing this out on my server soon.

Co-authored-by: Clar Fon <15850505+clarfonthey@users.noreply.github.com>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-11 14:38:52 +08:00
wxiaoguang
f241201484
Init git module before database migration (#21764) (#21766)
Backport #21764

Some database migrations depend on the git module.
2022-11-10 14:22:45 +00:00
Jason Song
43bddc1405
Set last login when activating account (#21731) (#21754)
Backport #21731.

Fix #21698.

Set the last login time to the current time when activating the user
successfully.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-10 11:15:28 +08:00
Xinyu Zhou
9414260d67
Fix UI language switching bug (#21597) (#21748)
Backport #21597

Related:
* https://github.com/go-gitea/gitea/pull/21596#issuecomment-1291450224

There was a bug when switching language by AJAX: the irrelevant POST
requests were processed by the target page's handler.

Now, use GET instead of POST. The GET requests should be harmless.

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-11-10 10:13:36 +08:00
Wayne Starr
3c07ed0911
Remove semver compatible flag and change pypi to an array of test cases (#21708) (#21729)
Backport (#21708)

This addresses #21707 and adds a second package test case for a
non-semver compatible version (this might be overkill though since you
could also edit the old package version to have an epoch in front and
see the error, this just seemed more flexible for the future).

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2022-11-09 23:02:21 +08:00
Wayne Starr
995ae06a6e
Allow for resolution of NPM registry paths that match upstream (#21568) (#21723)
Backport (#21568)

This PR fixes issue #21567 allowing for package tarball URLs to match
the upstream registry (and GitLab/JFrog Artifactory URLs). It uses a
regex to parse the filename (which contains the NPM version) and does a
fuzzy search to pull it out. The regex was built/expanded from
http://json.schemastore.org/package,
https://github.com/Masterminds/semver, and
https://docs.npmjs.com/cli/v6/using-npm/semver and is testable here:
https://regex101.com/r/OydBJq/5

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-09 14:00:09 +08:00
Wayne Starr
14342047ad
Allow local package identifiers for PyPI packages (#21690) (#21726)
Backport (#21690)

Fixes #21683

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2022-11-09 09:10:25 +08:00
zeripath
d6d62c071f
Fix repository adoption on Windows (#21646) (#21651)
Backport #21646

A bug was introduced in #17865 where filepath.Join is used to join
putative unadopted repository owner and names together. This is
incorrect as these names are then used as repository names - which shoud
have the '/' separator. This means that adoption will not work on
Windows servers.

Fix #21632

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-11-01 19:24:37 +00:00
Jason Song
7a2daae7c3
Sync git hooks when config file path changed (#21619) (#21625)
Backport #21619 .

A patch to #17335.

Just like AppPath, Gitea writes its own CustomConf into git hook scripts
too. If Gitea's CustomConf changes, then the git push may fail.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-10-30 11:16:09 +08:00
KN4CK3R
5bc3fbd511
Fix package access for admins and inactive users (#21580) (#21592)
Backport of #21580

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-28 09:38:59 +08:00
KN4CK3R
b0a057f1c0
Fix Timestamp.IsZero (#21593) (#21604)
Backport of #21593

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-27 16:47:47 +08:00
Xinyu Zhou
43a8547df6
Added check for disabled Packages (#21540) (#21614)
Backport #21540

At the moment, If admin disable Packages, still show the Packages on the
admin dashboard.

This patch added a check to hide the Packages entry.
2022-10-27 12:34:32 +08:00
Lunny Xiao
291787a5ef
Fix issues count bug (#21600)
backport #21557
2022-10-26 20:42:45 +08:00
Ashley Nelson
e504410708
Update milestone counters when issue is deleted (#21459) (#21586)
Backports #21459 

When actions besides "delete" are performed on issues, the milestone
counter is updated. However, since deleting issues goes through a
different code path, the associated milestone's count wasn't being
updated, resulting in inaccurate counts until another issue in the same
milestone had a non-delete action performed on it.

I verified this change fixes the inaccurate counts using a local docker
build.

Co-authored-by: 6543 <6543@obermui.de>
2022-10-26 15:44:05 +08:00
KN4CK3R
2ccf940464
Suppress ExternalLoginUserNotExist error (#21504) (#21572)
Backport of #21504

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-26 00:08:05 +08:00
eleith
169c08e20a
support binary deploy in npm packages (#21589)
backport of #21372 for v1.17.4

-------------------

npm package.json supports binary packaging:
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#bin

the npm registry documents that the binary references will be attached
to the abbreviated version object:

https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object

unfortunately their api documentation leaves this out:
https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-objectdoc

which is likely to be the reason this was left out in gitea's initial
implementation

this response is critical for npm to install the binary in the .bin
folder so as to be included on the users default bin path, resulting in
immediate access to any binaries provided by the package

i have tested upload and installing through npm and can confirm the npm
registry now responds with bin in the version metadata and results in
the binary being available after install.

this fixes https://github.com/go-gitea/gitea/issues/21303

Co-authored-by: eleith <online-github@eleith.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-25 14:13:27 +08:00
Paweł Bogusławski
d5856fece7
SessionUser protection against nil pointer dereference (#21581)
Backport #21358 

`SessionUser` should be protected against passing `sess` = `nil` to
avoid

```
PANIC: runtime error: invalid memory address or nil pointer dereference
```

in


https://github.com/go-gitea/gitea/pull/18452/files#diff-a215b82aadeb8b4c4632fcf31215dd421f804eb1c0137ec6721b980136e4442aR69

after upgrade from gitea v1.16 to v1.17.

Related: https://github.com/go-gitea/gitea/pull/18452
2022-10-24 20:05:35 +01:00
Hubert Wawrzyńczyk
0571ddc368
Case-insensitive NuGet symbol file GUID (#21409) (#21575)
Backport of #21409

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-24 19:57:19 +08:00