silverwind [Sat, 22 Aug 2020 12:36:56 +0000 (14:36 +0200)]
Improve HTML escaping helper (#12562)
The previous method did not escape single quotes which under some
circumstances can lead to XSS vulnerabilites and the fact that it
depends on jQuery is also not ideal. Replace it with a lightweight
module.
techknowlogick [Mon, 17 Aug 2020 06:32:33 +0000 (02:32 -0400)]
Fix bug preventing transfer to private organization (#12497) (#12501)
* Fix bug preventing transfer to private organization
The code assessing whether a private organization was visible to a user before
allowing transfer was incorrect due to testing membership the wrong way round
This PR fixes this issue and renames the function performing the test to be
clearer.
Further looking at the API for transfer repository - no testing was
performed to ensure that the acting user could actually see the new
owning organization.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* change IsUserPartOfOrg everywhere
Previous tests weren't complicated enough so there were some situations where emojis were't detected properly. Find the earliest occurance in addition to checking for the longest combination.
Rendering should now pretty much match GitHub with 1.25em. I verified
that emojis don't increase the line height and removed unecessary size
overrides because now all emojis should appear similar in relation to
the font size.
Extend Notifications API and return pinned notifications by default (#12164) (#12232)
Backport #12164
This PR extends the notifications API to allow specific notification statuses to be searched for and to allow setting of notifications to statuses other than read.
By default unread and pinned statuses will be returned when querying for notifications - however pinned statuses will not be marked as read.
properly set symbolic-ref HEAD when a repo is created with a non-master default branch (#12135) (#12182)
This fixes an issue I noticed with #10803: when you create a repo with a non-master default branch, gitea doesn't change the remote ref HEAD, so it still points at refs/heads/master. As a result, cloning my repos gives me error messages and doesn't check out the desired default branch, so I need to manually check it out after cloning.
When attempting to verify subkeys the email address verification step
requires checking the emails however, these emails are not stored on
subkeys but instead on the primary key.
This PR will obtain the primaryKey and check against these emails too.
Fix #12128
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Multiple small admin dashboard fixes (#12153) (#12156)
* Prevent (EXTRA string) comments in Task headers
* Redirect tasks started from monitor page back to monitor
* Fix #12107 - redirects from process cancel should use AppSubUrl
* When wrapping queues set the name correctly
Ensure BlameReaders close at end of request (#12102) (#12103)
Backport #12102
this was thought to be due to timeouts, however on closer look this
appears to be due to the Close() function of the BlameReader hanging
with a blocked stdout pipe.
This PR fixes this Close function to:
* Cancel the context of the cmd
* Close the StdoutReader - ensuring that the output pipe is closed
Further it makes the context of the `git blame` command a child of the
request context - ensuring that even if Close() is not called, on
cancellation of the Request the blame is command will also be cancelled.
Stefan Bethke [Sun, 28 Jun 2020 18:14:22 +0000 (20:14 +0200)]
Disable go module when downloading global binaries (#12030) (#12084)
Prevent `go get` from touching `go.mod` and `go.sum` when executing
global binaries during the build process. Once
https://github.com/golang/go/issues/30515 is fixed, we should is
whatever solution is provided there.
zeripath [Sun, 21 Jun 2020 15:08:25 +0000 (16:08 +0100)]
Handle multiple merges in gitgraph.js (#11996) (#12000)
Backport #11996
There is a bug in web_src/js/vendor/gitgraph.js whereby it fails to
handle multiple merges in a single commit correctly. This PR adds
changes to make this work.
silverwind [Sat, 20 Jun 2020 14:23:04 +0000 (16:23 +0200)]
Add serviceworker.js to KnownPublicEntries (#11992) (#11994)
Fixes a wrong 302 redirect to the login page, see https://github.com/go-gitea/gitea/issues/11989.
Also made it so the reserved username list is extended with those known
entries so we avoid code duplication.
Rework api/user/repos for pagination (#11827) (#11877)
* Add count to `GetUserRepositories` so that pagination can be supported for `/user/{username}/repos`
* Rework ListMyRepos to use models.SearchRepository
ListMyRepos was an odd one. It first fetched all user repositories and then tried to supplement them with accessible map. The end result was that:
* Limit for pagination did not work because accessible repos would always be appended
* The amount of pages was incorrect if one were to calculate it
* When paginating, all accessible repos would be shown on every page
Hopefully it should now work properly. Fixes #11800 and does not require any change on Drone-side as it can properly interpret and act on Link header which we now set.
zeripath [Fri, 12 Jun 2020 18:01:44 +0000 (19:01 +0100)]
Handle more pathological branch and tag names (#11843) (#11863)
Backport #11843
It's possible to push quite pathological appearing branch names to gitea
using git push gitea reasonable-branch:refs/heads/-- at which point
large parts of the UI will break. Similarly you can git push origin
reasonable-tag:refs/tags/-- which wil return an error.
This PR fixes the problems these cause. It also changes the code from
creating branches to pushing to ensure that branch restoration has to
pass hooks.
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
zeripath [Mon, 8 Jun 2020 19:00:12 +0000 (20:00 +0100)]
Ensure rejected push to refs/pull/index/head fails nicely (#11724) (#11809)
Backport #11724
A pre-receive hook that rejects pushes to refs/pull/index/head
will cause a broken PR which causes an internal server error
whenever it is viewed. This PR handles prevents the internal server
error by handling non-existent pr heads and sends a flash error
informing the creator there was a problem.
赵智超 [Sat, 6 Jun 2020 21:43:01 +0000 (05:43 +0800)]
Fix to allow comment poster to edit or delete his own comments (#11671) (#11774)
* bug: fix comment update permision check
No the ui only allow poster to update or delet comment, which
is not reasonable and different with handle logic, this pr
change it to allow poster of comment do it
mrsdizzie [Thu, 4 Jun 2020 18:56:28 +0000 (14:56 -0400)]
Update emoji dataset with skin tone variants (#11678) (#11763)
* Update emoji dataset with skin tone variants
Since the format of emoji that support skin tone modifiers is predictable we can add different variants into our dataset when generating it so that we can match and properly style most skin tone variants of emoji. No real code change here other than what generates the dataset and the data itself.
mrsdizzie [Fri, 29 May 2020 21:12:53 +0000 (17:12 -0400)]
Update emoji regex (#11584) (#11679)
When matching emoji, use a regex built from the data we have instead of something generic using unicode ranges. A generic regex can't tell the difference between two separate emoji next to each other or one emoji that is built out of two separate emoji next to each other.
This means that emoji that are next to each other without space in between will be now accurately spanned individually with proper title etc...
6543 [Fri, 29 May 2020 18:00:43 +0000 (20:00 +0200)]
Doctor check & fix db consistency (#11111) (#11676)
needed to fix issue as described in #10280
* rename check-db to check-db-version
* add check-db-consistency:
* find issues without existing repository
* find pulls without existing issues
* find tracked times without existing issues/pulls
* find labels without repository or org reference
guillep2k [Wed, 27 May 2020 07:08:14 +0000 (04:08 -0300)]
When must change password only show Signout (#11600) (#11637)
When "Must Change Password" simplify the navbar header to only show the
signout button as all other links will redirect back. This prevents the
notifications icon from showing preventing initialization of the
event-source and hence preventing redirect_to being set, however in
addition do not set the redirect_to cookie if we are looking at the
/user/events page.
Fix #11554
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
* Fix inconsistent font size for markdown preview on new PR view (#11565)
We use same method for new issue form and issue view, but was missing from new PR view making it one place where markdown preview is inconsistent in font size.
silverwind [Sun, 24 May 2020 21:12:02 +0000 (23:12 +0200)]
Fix serviceworker output file and misc improvements (#11562) (#11610)
* Fix serviceworker output file and misc improvements
- Fix output file location for production build
- Cache more asset types: fonts and worker variants
- Parallelize a few tasks during initalization
- Only invalidate caches starting with our prefix
- Remove public/serviceworker.js before building
- Remove font preloads, they cause strange cors issues
- Misc eslint config adjustments
zeripath [Sun, 24 May 2020 17:12:25 +0000 (18:12 +0100)]
Prevent (caught) panic on login (#11590) (#11597)
Backport #11590
Unfortunately when the virtual session is released it requires that the
real session does not exist. This worked fine when sessions were only
saved at the end of request/response cycle however, now sessions are
saved proactively this does not hold.
The result is a caught panic in the logs during every log-in. This
panic has no significant side-effects but should not occur.
This PR marks the virtual session as released when released and updates
it if the same session is released again.
mrsdizzie [Sun, 24 May 2020 13:01:10 +0000 (09:01 -0400)]
Fix images in wiki edit preview (#11546) (#11602)
Make sure wiki editor sets wiki to true so gitea renders it as a wiki page.
Also change the context data attr for edit form. This looks wrong but everywhere else in our code assumes the urlPrefix to be just the repo url when rendering and manually adds /wiki to the rendered url regardless.