KN4CK3R [Mon, 6 Nov 2023 22:06:21 +0000 (23:06 +0100)]
Unify two factor check (#27915) (#27939)
Backport of #27915
Fixes #27819
We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
Giteabot [Wed, 18 Oct 2023 13:07:20 +0000 (21:07 +0800)]
Support allowed hosts for webhook to work with proxy (#27655) (#27674)
Backport #27655 by @wolfogre
When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.
But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.
This PR fixes it by:
- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.
Giteabot [Wed, 11 Oct 2023 02:38:50 +0000 (10:38 +0800)]
Fix attachment download bug (#27486) (#27570)
Backport #27486 by @lunny
Fix #27204
This PR allows `/<username>/<reponame>/attachments/<uuid>` access with
personal access token and also changed attachments API download url to
it so it can be download correctly.
Giteabot [Fri, 6 Oct 2023 14:51:04 +0000 (22:51 +0800)]
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze
storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).
Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.
Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)
fix orphan check for deleted branch (#27310) (#27320)
Backport #27310 by @earl-warren
- Modify the deleted branch orphan check to check for the new table
instead.
- Regression from 6e19484f4d3bf372212f2da462110a1a8c10cbf2
- Resolves https://codeberg.org/forgejo/forgejo/issues/1522
Quote table `release` in sql queries (#27205) (#27219)
Backport of #27205
Fixes #27174
`release` is a reserved keyword in MySql. I can't reproduce the issue on
my setup and we have a test for that code but it seems there can be
setups where it fails.
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27167)
Backport #27150 by @memphis88
Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.
This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88
Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.
This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).
Unfortunately, when a system setting hasn't been stored in the database,
it cannot be cached.
Meanwhile, this PR also uses context cache for push email avatar display
which should avoid to read user table via email address again and again.
According to my local test, this should reduce dashboard elapsed time
from 150ms -> 80ms .
Use secure cookie for HTTPS sites (#26999) (#27013)
Backport #26999
If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's
default value should be true.
And, if a user visits an "http" site with "https" AppURL, they won't be
able to login, and they should have been warned. The only problem is
that the "language" can't be set either in such case, while I think it
is not a serious problem, and it could be fixed easily if needed.
Update docs about attachment path (#26883) (#26884)
Backport #26883
This change was caused by #26271, for configuration as below:
```
[attachment]
ENABLE = true
PATH = data/attachments
MAX_SIZE = 100
MAX_FILES = 5
```
Before #26271, the resolved path is ${AppWorkPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/attachments`)
After #26271, the resolved path is ${AppDataPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/data/attachments`)
Giteabot [Thu, 31 Aug 2023 15:29:55 +0000 (23:29 +0800)]
Fix verifyCommits error when push a new branch (#26664) (#26810)
Backport #26664 by @CaiCandong
> ### Description
> If a new branch is pushed, and the repository has a rule that would
require signed commits for the new branch, the commit is rejected with a
500 error regardless of whether it's signed.
>
> When pushing a new branch, the "old" commit is the empty ID
(0000000000000000000000000000000000000000). verifyCommits has no
provision for this and passes an invalid commit range to git rev-list.
Prior to 1.19 this wasn't an issue because only pre-existing individual
branches could be protected.
>
> I was able to reproduce with
[try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test),
which is set up with a blanket rule to require commits on all branches.
Fix #25565
Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting
an valid solution!
Giteabot [Tue, 29 Aug 2023 10:06:05 +0000 (18:06 +0800)]
Fix being unable to use a repo that prohibits accepting PRs as a PR source. (#26785) (#26790)
Backport #26785 by @CaiCandong
## Description
Sometimes, we need to use an upstream mirror repository to update the
current development repository, but mirror repositories are prohibited
from PR. It should not appear in `merge to,` but it can appear in `pull
from.`
Fix #24585 #26193 #26781
Related #24183
Many thanks to @apnote for assisting me in reproducing this bug!
Giteabot [Fri, 25 Aug 2023 05:55:53 +0000 (13:55 +0800)]
Add matrix to support (#26382) (#26722)
Backport #26382 by @jolheiser
This PR adds our matrix space to the support options and alphabetizes
the list.
I also considered adding our Mastodon, however that isn't as suitable as
the other options because it's just whoever has access to the account vs
a community chat/forum.
Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Giteabot [Wed, 23 Aug 2023 01:57:01 +0000 (09:57 +0800)]
add mfa doc (#26654) (#26674)
Backport #26654 by @lunny
copy and modified from #14572
> Whilst debating enforcing MFA within our team, I realised there isn't
a lot of context to the side effects of enabling it. Most of us use Git
over HTTP and would need to add a token.
I plan to add another PR that adds a sentence to the UI about needing to
generate a token when enabling MFA if HTTP is to be used.
Giteabot [Mon, 21 Aug 2023 16:51:30 +0000 (00:51 +0800)]
Use correct minio error (#26634) (#26639)
Backport #26634 by @delvh
Previously, `err` was defined above, checked for `err == nil` and used
nowhere else.
Hence, the result of `convertMinioErr` would always be `nil`.
This leads to a NPE further down the line.
That is not intentional, it should convert the error of the most recent
operation, not one of its predecessors.
CaiCandong [Sat, 19 Aug 2023 10:21:45 +0000 (18:21 +0800)]
Fix project filter bugs (#26490) (#26558)
Backport #26490
related: #26012
1. missing project filter on the issue page.
https://github.com/go-gitea/gitea/blob/1e76a824bcd71acd59cdfb2c4547806bc34b3d86/modules/indexer/issues/dboptions.go#L11-L15
2. incorrect SQL condition: some issue does not belong to a project but
exists on the project_issue table.
KN4CK3R [Wed, 16 Aug 2023 06:01:20 +0000 (08:01 +0200)]
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613
Fixes #25564
Fixes #23191
- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions
Giteabot [Tue, 15 Aug 2023 13:34:08 +0000 (21:34 +0800)]
Use `hidden` over `clip` for text truncation (#26520) (#26522)
Backport #26520 by @silverwind
Avoid browser bugs:
- Firefox not cutting off -
https://github.com/go-gitea/gitea/pull/26354#issuecomment-1678456052
- Safari not showing ellipsis -
https://github.com/go-gitea/gitea/pull/26354#issuecomment-1678812801
Giteabot [Sat, 12 Aug 2023 09:00:51 +0000 (17:00 +0800)]
Check first if minio bucket exists before trying to create it (#26420) (#26465)
Backport #26420 by @lunny
For some reason, the permission of the client_id and secret may cannot
create bucket, so now we will check whether bucket does exist first and
then try to create a bucket if it doesn't exist.