Commit Graph

11917 Commits

Author SHA1 Message Date
zeripath
3aecea2e6e
Changelog 1.15.5 (#17392)
* SECURITY
  * Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  * Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
* BUGFIXES
  * Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
  * Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
  * Ensure popup text is aligned left (backport for 1.15) (#17343)
  * Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
  * Disable core.protectNTFS (#17300) (#17302)
  * Use pointer for wrappedConn methods (#17295) (#17296)
  * AutoRegistration is supposed to be working with disabled registration (backport) (#17292)
  * Handle duplicate keys on GPG key ring (#17242) (#17284)
  * Fix SVG side by side comparison link (#17375) (#17391)

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-21 23:50:22 +02:00
zeripath
cae8c63517
Fix SVG side by side comparison link (#17375) (#17391)
Backport #17375

Define unique names for image tabs in pull requests, in order to toggle tabs correctly when multiple are displayed on one page.

Fixes position of swipe-bar so it does not overlay other UI components when scrolling.

Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>

Co-authored-by: Mario Lubenka <mario.lubenka@googlemail.com>
2021-10-21 20:38:29 +01:00
zeripath
8ace5c1161
Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
Backport #17281

There is a subtle bug in the SSH library x/crypto/ssh which makes the incorrect
assumption that the public key type is the same as the signature algorithm type.

This means that only ssh-rsa signatures are offered by default.

This PR adds a workaround around this problem.

Fix #17175

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-10-21 16:37:49 +08:00
Lunny Xiao
a87b813955
Fix heatmap test (#17381) (#17383)
Backport #17381
2021-10-21 09:00:41 +01:00
6543
3baeec745c
Upgrade Bluemonday to v1.0.16 (#17372) (#17374) 2021-10-20 16:57:19 -04:00
Richard Mahn
befb6bea22
Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
Backport of #17018

Fixes #16837 if a column is deleted.
2021-10-20 22:55:34 +02:00
6543
79f0b1a50b
Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
2021-10-20 22:26:48 +02:00
zeripath
79a3d277e5
Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
Backport #17304

Downgrade logging statement from Fatal to Error so that errors parsing
U2FRegistration data does not panic; instead, the invalid key will be
skipped and we will attempt to parse the next one, if available.

Signed-off-by: David Jimenez <dvejmz@sgfault.com>

Co-authored-by: David Jimenez <dvejmz@users.noreply.github.com>
2021-10-20 21:45:17 +02:00
John Olheiser
eb748ff79e
Allow mocking timeutil (#17354) (#17356)
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2021-10-18 16:48:23 -05:00
Mario Lubenka
c5770195d9
Ensure popup text is aligned left (#17343)
Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>
2021-10-17 18:57:28 -04:00
zeripath
a20ccec369
Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
Backport #17243

There is an issue with #16508 where it appears that create repo requires that the
repo does not exist. This causes #17241 where an error is reported because of this.

This PR fixes this and also runs update-server-info for mirrors and generated repos.

Fix #17241

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-14 18:07:53 +02:00
zeripath
9c2b7a196e
Disable core.protectNTFS (#17300) (#17302)
Backport #17300

core.protectNTFS protects NTFS from files which may be difficult to remove or interact
with using the win32 api, however, it also appears to prevent such files from
being entered into the git indexes - fundamentally causing breakages with PRs that
affect these files. However, deliberately setting this to false may cause security
issues due to the remain sparse checkout of files in the merge pipeline.

The only sensible option therefore is to provide an optional setting which admins
could set which would forcibly switch this off if they are affected by this issue.

Fix #17092

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-13 23:02:45 +03:00
zeripath
1e278b15c2
Use pointer for wrappedConn methods (#17295) (#17296)
Backport #17295

Fix #17294

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-12 23:45:30 +01:00
Viktor Kuzmin
fde6ff6a75
Backport of fix for auto registration - PR #17219 (#17292) 2021-10-12 00:02:47 -04:00
zeripath
51f4f8c393
Handle duplicate keys on GPG key ring (#17242) (#17284)
Backport #17242

It is possible that a keyring can contain duplicate keys on a keyring due to jpegs or
other layers. This currently leads to a confusing error for the user - where we report
a duplicate key insertion.

This PR simply coalesces keys into one key if there are duplicates.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: 6543 <6543@obermui.de>
2021-10-11 05:13:10 +03:00
Matti R
f5845e6497
Changelog for 1.15.4 2021-10-08 14:01:42 -04:00
Norwin
c927ebd119
API: don't allow merged PRs to be reopened (#17271) 2021-10-08 13:54:26 -04:00
Norwin
245596e130
don't try to interpret treepath as hash (#17272)
...when path contains no hash-path-separator ('/')

This is a workaround to #17179.

Entering this case when `path` does not contain a '/' does not really
make sense, as that means the tree path is empty, but this case is only
entered for routes that expect a non-empty tree path.

Treepaths like <40-char-dirname>/<filename> will still fail,
but hopefully don't occur that often. A more complete fix that avoids
this case too is outlined in #17185, but too big of a change to backport
2021-10-08 13:53:54 -04:00
Jimmy Praet
1c3ae6d05e
Fix incorrect repository count on organization tab of dashboard (#17266)
Fixes #17249
2021-10-08 17:33:16 +08:00
Jimmy Praet
a1e57ebe6b
Fix unwanted team review request deletion (#17257) (#17264)
Add missing issue_id = ? to where clause
Fixes #17251
2021-10-07 23:58:13 +02:00
6543
73ae93b007
CI: migrate from 'plugins/s3:1' to 'woodpeckerci/plugin-s3:latest' (#17234) (#17260)
- this fixes the CI release upload issues, as the docker image for this is freshly built (unlike the mostly unmaintained "official" drone plugins), thus containing current CA certs needed for letsencrypt since 2021-09-31.
- woodpecker is a drone-ci fork maintained partially by @6543. it's API compatible with current drone plugins afaik
2021-10-07 22:02:07 +02:00
6543
dc030f64a7
Remove dead badge on README.md (#17261) 2021-10-07 15:40:11 -04:00
Jimmy Praet
6e0a08d753
Fix broken Activities link in team dashboard (#17255) (#17258)
Remove '/' suffix from organization dashboard link

Fixes #17250
2021-10-07 20:58:59 +02:00
pricly-yellow
7b1153e943
API pull's head/base have correct permission(#17214) (#17245)
* for all pull requests API return permissions of caller
* for all webhook return empty permissions

Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de>

* Fix incorrect error handler

Co-authored-by: delvh <dev.lh@web.de>

* Fix wrong assumption in tests

* Change paramenter name to doer to indicate source

Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: 6543 <6543@obermui.de>
2021-10-07 12:39:23 +03:00
pricly-yellow
6995be66e7
Fix stange behavior of DownloadPullDiffOrPatch in incorect index (#17223) (#17227)
Fix GetPullRequestByIndex by validate index > 1

Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de>
Co-authored-by: a1012112796 <1012112796@qq.com>
2021-10-05 20:16:22 +02:00
6543
28971c7c15
Check user instead of organization when creating a repo from a template via API (#16346) (#17195)
* Check user instead of organization

* Enforce that only admins can copy a repo to another user

Co-authored-by: Ion Jaureguialzo Sarasola <ion@jaureguialzo.com>
2021-10-01 10:16:28 +02:00
Lunny Xiao
eb5e6f09eb
upgrade xorm to v1.2.5 (#17177) (#17188) 2021-09-30 07:03:42 +01:00
Alexey 〒erentyev
bf6264c1db
fix sprintf verbs in locales (#17187)
Signed-off-by: Alexey Terentyev <axifnx@gmail.com>

Co-authored-by: 6543 <6543@obermui.de>
2021-09-30 12:03:21 +08:00
zeripath
5b6b7e79cf
Fix missing repo link in issue/pull assigned emails (#17183) (#17184)
Backport #17183

There was a mistake in the template file: `templates/mail/issue/assigned.tmpl`
where the repourl was generated from a non-existent release instead of the issue.

This PR changes this to use the issue but also ensure that the issue repo is loaded.

It also slightly improves the English and the Russian locale string.

Fix #17160

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
2021-09-30 01:21:12 +02:00
Lunny Xiao
766272b154
Fix bug of get context user (#17169) (#17172)
Co-authored-by: 6543 <6543@obermui.de>
2021-09-28 15:42:43 +02:00
zeripath
4707d4b8a9
Nicely handle missing user in collaborations (#17049) (#17166)
Backport #17049

It is possible to have a collaboration in a repository which refers to a no-longer
existing user. This causes the repository transfer to fail with an unusual error.

This PR makes `repo.getCollaborators()` nicely handle the missing user by ghosting
the collaboration but also adds consistency check. It also adds an
Access consistency check.

Fix #17044

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2021-09-28 07:41:12 +01:00
zeripath
4b8b214108
Create doctor command to fix repo_units broken by dumps from 1.14.3-1.14.6 (#17136) (#17137)
Backport #17136

There was a serious issue with the `gitea dump` command in 1.14.3-1.14.6 which led to corruption of the `config` field of the `repo_unit` table. 

This PR adds a doctor command to attempt to fix the broken repo_units. Users affected by #16961 should run:

```
gitea doctor --fix --run fix-broken-repo-units
```

Fix #16961

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-27 18:30:11 +01:00
zeripath
ebae7e1512
Add Horizontal scrollbar to inner menu on Chrome (#17086) (#17164) 2021-09-27 12:44:22 -04:00
6543
122917f4d5
Fix wrong i18n keys (#17150) (#17153)
Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-26 08:25:12 +08:00
Alexey 〒erentyev
9cf5739c0f
correct transaction ending (#17151)
Signed-off-by: Alexey Terentyev <axifnx@gmail.com>
2021-09-25 16:45:39 +01:00
zeripath
4b6556565f
Prevent panic in Org mode HighlightCodeBlock (#17140) (#17141)
Backport #17140

When rendering source in org mode there is a mistake in the highlight code that
causes a panic.

This PR fixes this.

Fix #17139

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-24 14:29:47 +01:00
zeripath
7ce938b6c7
Changelog 1.15.3 (#17091)
## [1.15.3](https://github.com/go-gitea/gitea/releases/tag/v1.15.3) - 2021-09-19

* ENHANCEMENTS
  * Add fluid to ui container class to remove margin (#16396) (#16976)
  * Add caller to cat-file batch calls (#17082) (#17089)
* BUGFIXES
  * Render full plain readme. (#17083) (#17090)
  * Upgrade xorm to v1.2.4 (#17059)
  * Fix bug of migrate comments which only fetch one page (#17055) (#17058)
  * Do not show issue context popup on external issues (#17050) (#17054)
  * Decrement Fork Num when converting from Fork (#17035) (#17046)
  * Correctly rollback in ForkRepository (#17034) (#17045)
  * Fix missing close in WalkGitLog (#17008) (#17009)
  * Add prefix to SVG id/class attributes (#16997) (#17000)
  * Fix bug of migrated repository not index (#16991) (#16996)
  * Skip AllowedUserVisibilityModes validation on update user if it is an organisation (#16988) (#16990)
  * Fix storage Iterate bug and Add storage doctor to delete garbage attachments (#16971) (#16977)
  * Fix issue with issue default mail template (#16956) (#16975)
  * Ensure that rebase conflicts are handled in updates (#16952) (#16960)
  * Prevent panic on diff generation (#16950) (#16951)

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-09-20 12:02:52 +08:00
zeripath
6139834e76
Add caller to cat-file batch calls (#17082) (#17089)
Some people still appear to report unclosed cat-files. This PR simply adds the caller
to the process descriptor for the CatFileBatch and CatFileBatchCheck calls.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-20 00:07:35 +08:00
zeripath
b673a24ee6
Render full plain readme. (#17083) (#17090)
Backport #17083

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2021-09-19 22:01:19 +08:00
Lunny Xiao
fd35f56e87
Fix bug of migrate comments which only fetch one page (#17055) (#17058)
* Fix bug of migrate comments which only fetch one page

* add next page to trace

Co-authored-by: zeripath <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
2021-09-15 14:01:54 -04:00
Lunny Xiao
1f8df5dd89
Upgrade xorm to v1.2.4 (#17059) 2021-09-15 23:27:46 +08:00
zeripath
6a025d8b4a
Do not show issue context popup on external issues (#17050) (#17054)
Backport #17050

The issues pop-up context cannot work for external issues - therefore do not show
these.

Fix #17047

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-15 17:38:20 +08:00
zeripath
270c7f36db
Correctly rollback in ForkRepository (#17034) (#17045)
Backport #17034

The rollback functionality in
services/repository/repository.go:ForkRepository is incorrect and could
lead to a deadlock as it uses DeleteRepository to delete the rolled-back
repository - a function which creates its own transaction.

This PR adjusts the rollback function to only use RemoveAll as any
database changes will be automatically rolled-back. It also handles
panics and adjusts the Close within WithTx to ensure that if there is a
panic the session will always be closed.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-15 08:42:09 +03:00
zeripath
0e448fb96d
Decrement Fork Num when converting from Fork (#17035) (#17046)
Backport #17035

When converting repositories from forks to normal the root NumFork needs to be
decremented too.

Fix #17026

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-15 10:05:47 +08:00
zeripath
659b946eda
Fix missing close in WalkGitLog (#17008) (#17009)
Backport #17008

When the external context is cancelled it is possible for the
GitLogReader to not itself be Closed.

This PR does three things:

1. Instead of adding a plain defer it wraps the `g.Close` in a func as
`g` may change.
2. It adds the missing explicit g.Close - although the defer fix makes
this unnecessary.
3. It passes down the external context as the base context for the
GitLogReader meaning that the cancellation of the external context will
pass down automatically.

Fix #17007

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-10 17:46:06 +08:00
KN4CK3R
56ab5ec9ea
Use filename as id/class prefix. (#16997) (#17000)
Currently the svg minifier (`make svg`) rewrites all `id` and `class` attributes in svg files. Every file gets the ids `a, b, ...`. If multiple svgs with ids are used on a page these ids are conflicting and the results are broken images.

| minified ids | unique ids |
| - | - |
| ![grafik](https://user-images.githubusercontent.com/1666336/132579375-59d3996f-c4e5-43b8-8c8d-82280c90d9e3.png) | ![grafik](https://user-images.githubusercontent.com/1666336/132579413-05bf9285-4e3b-4d0d-8f95-90b212405b05.png) |

This PR adds a prefix (the filename) to every id/class.

Follow up problem: Because we embed svg images there are duplicated ids if one svg image is used multiple times on a page. As those ids refer to the same content it may be no real problem because browser handle that fine.
2021-09-09 10:47:28 +01:00
6543
3b13c5d41a
Fix bug of migrated repository not index (#16991) (#16996)
Fix #16986, #16152

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-09 07:02:22 +01:00
6543
d27f061863
Skip AllowedUserVisibilityModes validation on update user if it is an organisation (#16988) (#16990)
if AllowedUserVisibilityModes allow only public & limited, and orgs can be private, a user can create a repo to that organisation whitch will result in an update of the user. On this call the user is validaten and will be rejected since private is not allowed, but its not an user its an valid org ...

Co-authored-by: Alexey 〒erentyev <axifnx@gmail.com>

Co-authored-by: Alexey 〒erentyev <axifnx@gmail.com>
2021-09-08 23:58:00 +08:00
Lunny Xiao
07489d0405
Fix storage Iterate bug and Add storage doctor to delete garbage attachments (#16971) (#16977)
* Fix storage Iterate bug and Add storage doctor to delete garbage attachments

* Close object when used
2021-09-07 19:39:05 +01:00
Prasad Katti
30708d9ffe
Fix issue with issue default mail template (#16956) (#16975)
Backport #16956

The mail template rendering was failing with the error -
`...vices/mailer/mail.go:301:composeIssueCommentMessages() [E] ExecuteTemplate [issue/default/body]: template: issue/default:65:10: executing "issue/default" at <.i18n.Tr>: can't evaluate field i18n in type *models.Comment`

The issue was the template variable i18n is available in the outer scope.

Fix #16877

Co-authored-by: 6543 <6543@obermui.de>
2021-09-07 10:06:59 +08:00