wxiaoguang [Thu, 22 Jun 2023 16:27:18 +0000 (00:27 +0800)]
Refactor path & config system (#25330) (#25416)
Backport #25330
# The problem
There were many "path tricks":
* By default, Gitea uses its program directory as its work path
* Gitea tries to use the "work path" to guess its "custom path" and
"custom conf (app.ini)"
* Users might want to use other directories as work path
* The non-default work path should be passed to Gitea by GITEA_WORK_DIR
or "--work-path"
* But some Gitea processes are started without these values
* The "serv" process started by OpenSSH server
* The CLI sub-commands started by site admin
* The paths are guessed by SetCustomPathAndConf again and again
* The default values of "work path / custom path / custom conf" can be
changed when compiling
# The solution
* Use `InitWorkPathAndCommonConfig` to handle these path tricks, and use
test code to cover its behaviors.
* When Gitea's web server runs, write the WORK_PATH to "app.ini", this
value must be the most correct one, because if this value is not right,
users would find that the web UI doesn't work and then they should be
able to fix it.
* Then all other sub-commands can use the WORK_PATH in app.ini to
initialize their paths.
* By the way, when Gitea starts for git protocol, it shouldn't output
any log, otherwise the git protocol gets broken and client blocks
forever.
The "work path" priority is: WORK_PATH in app.ini > cmd arg --work-path
> env var GITEA_WORK_DIR > builtin default
The "app.ini" searching order is: cmd arg --config > cmd arg "work path
/ custom path" > env var "work path / custom path" > builtin default
## ⚠️ BREAKING
If your instance's "work path / custom path / custom conf" doesn't meet
the requirements (eg: work path must be absolute), Gitea will report a
fatal error and exit. You need to set these values according to the
error log.
Giteabot [Thu, 22 Jun 2023 15:01:42 +0000 (11:01 -0400)]
Fix `Permission` in API returned repository struct (#25388) (#25441)
Backport #25388 by @wolfogre
The old code generates `structs.Repository.Permissions` with only
`access.Permission.AccessMode`, however, it should check the units too,
or the value could be incorrect. For example,
`structs.Repository.Permissions.Push` could be false even the doer has
write access to code unit.
Should fix
https://github.com/renovatebot/renovate/issues/14059#issuecomment-1047961128
(Not reported by it, I just found it when I was looking into this bug)
Giteabot [Thu, 22 Jun 2023 10:19:38 +0000 (06:19 -0400)]
Various UI fixes (#25264) (#25431)
Backport #25264 by @silverwind
Numerous small UI fixes:
- Fix double border in collaborator list
- Fix system notice table background
- Mute links in repo and org lists
- Downsize projects edit buttons
- Improve milestones and project list rendering
- Condense milestone list entry to a single line of "metas"
- Mute ".." button in repo files list
<img width="899" alt="Screenshot 2023-06-14 at 21 19 23"
src="https://github.com/go-gitea/gitea/assets/115237/40d70006-5f76-49ad-b43c-4343ec3311e1">
<img width="905" alt="Screenshot 2023-06-14 at 21 18 29"
src="https://github.com/go-gitea/gitea/assets/115237/46ef39ea-ab26-452d-89b0-a55d0cfacfdb">
<img width="270" alt="Screenshot 2023-06-14 at 21 14 09"
src="https://github.com/go-gitea/gitea/assets/115237/aa16e833-a03b-4231-bc7c-159a6a6bee19">
<img width="409" alt="Screenshot 2023-06-14 at 21 12 13"
src="https://github.com/go-gitea/gitea/assets/115237/b5242d41-f87a-4837-b0cf-9cc4c1f43daf">
<img width="286" alt="Screenshot 2023-06-14 at 21 10 03"
src="https://github.com/go-gitea/gitea/assets/115237/d0c36e47-651b-4d34-ad95-3d59474a7c3e">
<img width="928" alt="Screenshot 2023-06-14 at 21 05 24"
src="https://github.com/go-gitea/gitea/assets/115237/fc3b713e-d252-40f5-b6ba-6e5a741ab500">
<img width="217" alt="Screenshot 2023-06-14 at 21 02 01"
src="https://github.com/go-gitea/gitea/assets/115237/c4c33376-18d6-4820-aff5-f508f6d351a0">
<img width="79" alt="Screenshot 2023-06-14 at 20 42 43"
src="https://github.com/go-gitea/gitea/assets/115237/034b5950-c0bf-473b-a2f7-0c27a0259f29">
<img width="607" alt="Screenshot 2023-06-14 at 21 00 42"
src="https://github.com/go-gitea/gitea/assets/115237/fba2d3fd-bd3e-4daf-8b2f-530a1c99c8bc">
sebastian-sauer [Thu, 22 Jun 2023 08:34:42 +0000 (10:34 +0200)]
Show outdated comments in files changed tab (#24936) (#25428)
Backport #24936
If enabled show a clickable label in the comment. A click on the label
opens the Conversation tab with the comment focussed - there you're able
to view the old diff (or original diff the comment was created on).
Giteabot [Wed, 21 Jun 2023 04:51:26 +0000 (00:51 -0400)]
Avoid polluting config file when "save" (#25395) (#25406)
Backport #25395 by @wxiaoguang
That's a longstanding INI package problem: the "MustXxx" calls change
the option values, and the following "Save" will save a lot of garbage
options into the user's config file.
Ideally we should refactor the INI package to a clear solution, but it's
a huge work.
A clear workaround is what this PR does: when "Save", load a clear INI
instance and save it.
Partially fix #25377, the "install" page needs more fine tunes.
Giteabot [Tue, 20 Jun 2023 06:52:38 +0000 (02:52 -0400)]
Use Actions git context instead of dynamically created buildkit one (#25381) (#25383)
Backport #25381 by @techknowlogick
The [docker/build-push-action@v2
action](https://github.com/docker/build-push-action) by default ignores
the checkout created using the actions/checkout@v2 action. When you pass
a git build context to docker build, it wouldn't include the .git
directory.
By passing `context: .` to the build step then it'll use the Actions git
context which includes the git fetch from the earlier step.
silverwind [Tue, 20 Jun 2023 05:38:52 +0000 (07:38 +0200)]
Update JS dependencies, remove space after emoji completion (#25266) (#25352)
Manual backport of #25266 because of lockfile conflicts.
- Update all JS dependencies
- Enable stylint
[`media-feature-name-value-no-unknown`](https://stylelint.io/user-guide/rules/media-feature-name-value-no-unknown)
- Make use of new features in webpack and text-expander-element
- Tested Swagger and Mermaid
To explain the `text-expander-element` change: Before this version, the
element added a unavoidable space after emoji completion. Now that
https://github.com/github/text-expander-element/pull/36 is in, we gain
control over this space and I opted to remove it for emoji completion
and retain it for `@` mentions.
Username Attribute is not a required item when creating an
authentication source. If Username Attribute is empty, the username
value of LDAP user cannot be read, so all users from LDAP will be marked
as inactive by mistake when synchronizing external users.
This PR improves the sync logic, if username is empty, the email address
will be used to find user.
Giteabot [Mon, 19 Jun 2023 17:43:22 +0000 (13:43 -0400)]
fix issue filters on mobile view (#25368) (#25371)
Backport #25368 by @denyskon
Fix #24846 applying the solution proposed by @silverwind
<details>
<summary>Screenshots</summary>
![Bildschirmfoto vom 2023-06-19
12-20-54](https://github.com/go-gitea/gitea/assets/47871822/3f4e4536-38c4-451b-bfc0-a7c39acd37f0)
![Bildschirmfoto vom 2023-06-19
12-21-02](https://github.com/go-gitea/gitea/assets/47871822/3403ecc2-4d7f-4acd-b0c0-1b7a10228ff7)
![Bildschirmfoto vom 2023-06-19
12-21-16](https://github.com/go-gitea/gitea/assets/47871822/ef28a2bf-b7cc-4aec-b54b-99d2cc46a1f6)
![Bildschirmfoto vom 2023-06-19
12-21-21](https://github.com/go-gitea/gitea/assets/47871822/f8cd72a5-379e-410b-b0ef-d58895719370)
![Bildschirmfoto vom 2023-06-19
12-21-28](https://github.com/go-gitea/gitea/assets/47871822/34c78301-820c-4106-a086-ae81dc97eb91)
![Bildschirmfoto vom 2023-06-19
12-21-48](https://github.com/go-gitea/gitea/assets/47871822/b677adf1-3a48-42c8-befe-fa9d2679f0a3)
</details>
Giteabot [Sun, 18 Jun 2023 15:48:06 +0000 (11:48 -0400)]
Add Exoscale to installation on cloud provider docs (#25342) (#25346)
Backport #25342 by @pmig
We created a Gitea application for the [Exoscale
Marketplace](https://www.exoscale.com/marketplace/listing/glasskube-gitea/)
for easier installation on the European cloud provider.
The installation is managed via the [Glasskube Kubernetes
Operator](https://github.com/glasskube/operator).
Signed-off-by: Philip Miglinci <pmig@glasskube.eu> Co-authored-by: Philip Miglinci <p.miglinci@gmail.com>
Giteabot [Sun, 18 Jun 2023 15:07:46 +0000 (11:07 -0400)]
Write absolute AppDataPath to app.ini when installing (#25331) (#25347)
Backport #25331 by @wxiaoguang
If the APP_DATA_PATH isn't written into the config when installing, then
its value is uncertain because some Gitea command doesn't run with
correct WorkPath.
This is a quick fix for #25330 and can be backported.
Giteabot [Sun, 18 Jun 2023 13:02:41 +0000 (09:02 -0400)]
Fix UI on mobile view (#25315) (#25340)
Backport #25315 by @denyskon
Various fixes to pages or elements which were looking ugly on mobile.
<details>
<summary>Screenshots</summary>
![Bildschirmfoto vom 2023-06-17
20-38-41](https://github.com/go-gitea/gitea/assets/47871822/30b5d3ce-df3b-43eb-a4c2-c3790667fb9d)
![Bildschirmfoto vom 2023-06-17
20-39-27](https://github.com/go-gitea/gitea/assets/47871822/27c07b25-3602-4fb2-b34d-d5e875e054e9)
![Bildschirmfoto vom 2023-06-17
20-41-27](https://github.com/go-gitea/gitea/assets/47871822/dacdbb4e-e3dd-4b94-abf0-c68e3d64bd3b)
![Bildschirmfoto vom 2023-06-17
20-41-48](https://github.com/go-gitea/gitea/assets/47871822/72432c35-7c4a-4c7f-a767-3562f26a5c14)
![Bildschirmfoto vom 2023-06-17
20-42-37](https://github.com/go-gitea/gitea/assets/47871822/737c26ed-1910-4467-98ef-e8769bbbe6f0)
![Bildschirmfoto vom 2023-06-17
20-42-52](https://github.com/go-gitea/gitea/assets/47871822/1813b4bc-43c0-4912-8acb-5d799c090bf3)
![Bildschirmfoto vom 2023-06-17
20-43-06](https://github.com/go-gitea/gitea/assets/47871822/136466e8-34e5-419d-97ec-5202ff819fd2)
![Bildschirmfoto vom 2023-06-17
20-43-42](https://github.com/go-gitea/gitea/assets/47871822/59270bb2-d661-4a84-8504-3e50f771f767)
![Bildschirmfoto vom 2023-06-17
20-44-44](https://github.com/go-gitea/gitea/assets/47871822/494e274d-3771-4141-9419-0a4bbd8b7f64)
Giteabot [Fri, 16 Jun 2023 00:32:59 +0000 (20:32 -0400)]
Fix some UI alignments (#25277) (#25290)
Backport #25277 by @wxiaoguang
Fixes: https://github.com/go-gitea/gitea/issues/25282
Fix the problems:
1. The `repo-button-row` had various patches before, this PR makes it
consistent
2. The "Add File" has wrong CSS class "icon", remove it
3. The "Add File" padding was overridden by "!important", fix it by
`.repo-button-row .button.dropdown` with comment
4. The selector `.ui.segments ~ .ui.top.attached.header` is incorrect,
it should use `+`
Giteabot [Wed, 14 Jun 2023 06:36:52 +0000 (02:36 -0400)]
Fix all possible setting error related storages and added some tests (#23911) (#25244)
Backport #23911 by @lunny
Follow up #22405
Fix #20703
This PR rewrites storage configuration read sequences with some breaks
and tests. It becomes more strict than before and also fixed some
inherit problems.
- Move storage's MinioConfig struct into setting, so after the
configuration loading, the values will be stored into the struct but not
still on some section.
- All storages configurations should be stored on one section,
configuration items cannot be overrided by multiple sections. The
prioioty of configuration is `[attachment]` > `[storage.attachments]` |
`[storage.customized]` > `[storage]` > `default`
- For extra override configuration items, currently are `SERVE_DIRECT`,
`MINIO_BASE_PATH`, `MINIO_BUCKET`, which could be configured in another
section. The prioioty of the override configuration is `[attachment]` >
`[storage.attachments]` > `default`.
- Add more tests for storages configurations.
- Update the storage documentations.
It causes not only one issue like #25221 (the footer width was also
affected by that change and was fixed some time ago)
The problem of "overflow: overlay" (#21850) is:
* It's not widely supported and is non-standard
https://caniuse.com/css-overflow-overlay
* It's not widely tested in Gitea (some standard layout like `ui
container + ui grid` may break it).
* The benefit seems smaller than the problems it brings.
So, I think it is good to revert it.
----
Let's leave enough time for testing and reviewing.
Giteabot [Tue, 13 Jun 2023 12:42:25 +0000 (08:42 -0400)]
Change access token UI to select dropdowns (#25109) (#25230)
Backport #25109 by @jtran
The current UI to create API access tokens uses checkboxes that have a
complicated relationship where some need to be checked and/or disabled
in certain states. It also requires that a user interact with it to
understand what their options really are.
This branch changes to use `<select>`s. It better fits the available
options, and it's closer to [GitHub's
UI](https://github.com/settings/personal-access-tokens/new), which is
good, in my opinion. It's more mobile friendly since the tap-areas are
larger. If we ever add more permissions, like Maintainer, there's a
natural place that doesn't take up more screen real-estate.
This branch also fixes a few minor issues:
- Hide the error about selecting at least one permission after second
submission
- Fix help description to call it "authorization" since that's what
permissions are about (not authentication)
Related: #24767.
<img width="883" alt="Screenshot 2023-06-07 at 5 07 34 PM"
src="https://github.com/go-gitea/gitea/assets/10803/6b63d807-c9be-4a4b-8e53-ecab6cbb8f76">
---
When it's open:
<img width="881" alt="Screenshot 2023-06-07 at 5 07 59 PM"
src="https://github.com/go-gitea/gitea/assets/10803/2432c6d0-39c2-4ca4-820e-c878ffdbfb69">
Giteabot [Tue, 13 Jun 2023 12:04:40 +0000 (08:04 -0400)]
Use inline SVG for built-in OAuth providers (#25171) (#25234)
Backport #25171 by @silverwind
The plan is that all built-in auth providers use inline SVG for more
flexibility in styling and to get the GitHub icon to follow
`currentcolor`. This only removes the `public/img/auth` directory and
adds the missing svgs to our svg build.
It should map the built-in providers to these SVGs and render them. If
the user has set a Icon URL, it should render that as an `img` tag
instead.
Giteabot [Tue, 13 Jun 2023 08:23:21 +0000 (04:23 -0400)]
Fix task list checkbox toggle to work with YAML front matter (#25184) (#25227)
Backport #25184 by @jtran
Fixes #25160.
`data-source-position` of checkboxes in a task list was incorrect
whenever there was YAML front matter. This would result in issue content
or PR descriptions getting corrupted with random `x` or space characters
when a user checked or unchecked a task.
Giteabot [Mon, 12 Jun 2023 16:16:04 +0000 (12:16 -0400)]
Remove hacky patch for "safari emoji glitch fix" (#25208) (#25211)
Backport #25208 by @wxiaoguang
According to my test, the UI (emoji) is fine in Safari
And actually the code is just dead code, because the "resize" event is
never fired on page loading. So for most cases users just view the pages
without this hacky patch, nobody ever complains.
Giteabot [Mon, 12 Jun 2023 09:08:09 +0000 (05:08 -0400)]
Add `WithPullRequest` for `actionsNotifier` (#25144) (#25197)
Backport #25144 by @Zettat123
Fix #25093
If
[`WithPullRequest`](https://github.com/go-gitea/gitea/blob/679b1f7949aa40d4f962ef27f91b0b384b9c56a5/services/actions/notifier_helper.go#L90-L96)
is not called, the `Ref` in
[`notifyInput`](https://github.com/go-gitea/gitea/blob/679b1f7949aa40d4f962ef27f91b0b384b9c56a5/services/actions/notifier_helper.go#L55-L65)
will be empty, so the workflows in the head branch will not be found and
triggered.
silverwind [Sun, 11 Jun 2023 02:13:08 +0000 (04:13 +0200)]
Button and color enhancements (#24989) (#25176)
Backport #24989. Clean cherry-pick aside from one small conflict with
divider.
- Various corrections to button styles, especially secondary
- Remove focus highlight, it's annoying when it stays on button after
press
- Clearly define ghost and link buttons with demos in devtest
- Remove black, grey and tertiary buttons, they should not be used
- Make `arc-green` slightly darker
Giteabot [Sun, 11 Jun 2023 01:50:39 +0000 (21:50 -0400)]
Fix mobile navbar and misc cleanups (#25134) (#25169)
Backport #25134 by @silverwind
- Fix and improve mobile navbar layout
- Apply all cleanups suggested in
https://github.com/go-gitea/gitea/pull/25111
- Make media query breakpoints match Fomantic's exactly
- Clean up whitespace in class on navbar items
Mobile navbar before and after:
<img width="745" alt="Screenshot 2023-06-08 at 08 40 56"
src="https://github.com/go-gitea/gitea/assets/115237/ca84b239-b10f-41db-8c06-dcf2b6dd9d28">
<img width="739" alt="Screenshot 2023-06-08 at 08 41 23"
src="https://github.com/go-gitea/gitea/assets/115237/09133c54-eb7e-4110-858c-ead23c3b7521">
Giteabot [Fri, 9 Jun 2023 10:59:18 +0000 (06:59 -0400)]
Modify OAuth login ui and fix display name, iconurl related logic (#25030) (#25161)
Backport #25030 by @HesterG
Close #24808
Co-Authour @wxiaoguang @silverwind
1. Most svgs are found from https://worldvectorlogo.com/ , and some are
from conversion of png to svg. (facebook and nextcloud). And also
changed `templates/user/settings/security/accountlinks.tmpl`.
2. Fixed display name and iconurl related logic
# After
<img width="1436" alt="Screen Shot 2023-06-05 at 14 09 05"
src="https://github.com/go-gitea/gitea/assets/17645053/a5db39d8-1ab0-4676-82a4-fba60a1d1f84">
On mobile
<img width="378" alt="Screen Shot 2023-06-05 at 14 09 46"
src="https://github.com/go-gitea/gitea/assets/17645053/71d0f51b-baac-4f48-8ca2-ae0e013bd62e">
user/settings/security/accountlinks (The dropdown might be improved
later)
<img width="973" alt="Screen Shot 2023-06-01 at 10 01 44"
src="https://github.com/go-gitea/gitea/assets/17645053/27010e7e-2785-4fc5-8c49-b06621898f37">
Giteabot [Thu, 8 Jun 2023 16:03:42 +0000 (12:03 -0400)]
Fix open redirect check for more cases (#25143) (#25154)
Backport #25143 by @lafriks
If redirect_to parameter has set value starting with `\\example.com`
redirect will be created with header `Location: /\\example.com` that
will redirect to example.com domain.
Giteabot [Thu, 8 Jun 2023 11:22:32 +0000 (07:22 -0400)]
Remove incorrect element ID on "post-install" page (#25104) (#25129)
Backport #25104 by @wxiaoguang
That ID is a "copy&paste" error, it conflicts with the
`initRepoMigrationStatusChecker` logic, which is the right function for
a real `#repo_migrating` element. That wrong ID causes incorrect page
navigation after installation.
Giteabot [Thu, 8 Jun 2023 10:19:13 +0000 (06:19 -0400)]
Improve notification icon and navbar (#25111) (#25124)
Backport #25111 by @silverwind
Improvements to the notification icon and `<nav>`:
- Add a opaque color for header hover and use it, allowing the border to
be the right color on hover (sadly, not otherwise possible with CSS, not
even `color-mix`).
- Increase font size by 1px
- Use flexbox for slightly better text centering
- Reduce padding of user and add repo button, add margin on right side
of user menu
- Remove the `following bar` wrapper on navbar
<img width="176" alt="Screenshot 2023-06-07 at 00 07 08"
src="https://github.com/go-gitea/gitea/assets/115237/23cdc3d6-7f63-49df-bec3-f2e75e32a304">
<img width="63" alt="Screenshot 2023-06-07 at 00 07 14"
src="https://github.com/go-gitea/gitea/assets/115237/fae602c2-4467-4d50-b1ec-56317843f9a2">
<img width="84" alt="Screenshot 2023-06-07 at 00 07 36"
src="https://github.com/go-gitea/gitea/assets/115237/c48141b8-0b3c-48cc-846a-3a272524dbdb">
<img width="329" alt="Screenshot 2023-06-07 at 00 25 10"
src="https://github.com/go-gitea/gitea/assets/115237/cda612f1-426e-466b-a351-fc992bfd18fd">
<img width="186" alt="Screenshot 2023-06-07 at 00 35 45"
src="https://github.com/go-gitea/gitea/assets/115237/04484a2e-9bbf-493c-aa26-8e936da008fa">
<img width="797" alt="Screenshot 2023-06-07 at 16 57 40"
src="https://github.com/go-gitea/gitea/assets/115237/e7ccb672-5807-4cb6-b306-b18ae0c7e321">
Denys Konovalov [Wed, 7 Jun 2023 15:49:58 +0000 (17:49 +0200)]
fix swagger documentation for multiple files API endpoint (#25110)
Fixes some issues with the swagger documentation for the new multiple
files API endpoint (#24887) which were overlooked when submitting the
original PR:
1. add some missing parameter descriptions
2. set correct `required` option for required parameters
3. change endpoint description to match it full functionality (every
kind of file modification is supported, not just creating and updating)
wxiaoguang [Wed, 7 Jun 2023 11:20:18 +0000 (19:20 +0800)]
Fix webauthn regression and improve code (#25113)
Follow:
* #22697
There are some bugs in #22697:
* https://github.com/go-gitea/gitea/pull/22697#issuecomment-1577957966
* the webauthn failure message is never shown and causes console error
* The `document.getElementById('register-button')` and
`document.getElementById('login-button')` is wrong
* there is no such element in code
* it causes JS error when a browser doesn't provide webauthn
* the end user can't see the real error message
These bugs are fixed in this PR.
Other changes:
* Use simple HTML/CSS layouts, no need to use too many `gt-` patches
* Make the webauthn page have correct "page-content" layout
* The "data-webauthn-error-msg" elements are only used to provide locale
texts, so move them into a single "gt-hidden", then no need to repeat a
lot of "gt-hidden" in code
* The `{{.CsrfTokenHtml}}` is a no-op because there is no form
* Many `hideElem('#webauthn-error')` in code is no-op because the
`webauthn-error` already has "gt-hidden" by default
* Make the tests for "URLEncodedBase64" really test with concrete cases.
Screenshots:
* Error message when webauthn fails (before, there is no error message):
HesterG [Wed, 7 Jun 2023 02:49:48 +0000 (10:49 +0800)]
Add details summary for vertical menus in settings to allow toggling (#25098)
Close #25051
[referenced
answer](https://stackoverflow.com/questions/10813581/can-i-replace-the-expand-icon-of-the-details-element/69722686#69722686)
for marker overwrite. One limitation is that fomantic does not have
hover and active effects for the vertical submenu
([reference](https://fomantic-ui.com/collections/menu.html#sub-menu)).
And we might need to overwrite some styles if hover and active effects
are needed.
Update:
Used `data:image/svg` instead of `marker` content. And adjusted styles
for hover effect.
silverwind [Tue, 6 Jun 2023 04:57:08 +0000 (06:57 +0200)]
Enable all webpack sourcemaps in dev build, disable all in prod build (#25089)
- Enable all source maps in dev build
- Disable all source maps in prod build
- Provide `ENABLE_SOURCEMAP` env var to override it.
I think the strange error seen in
https://github.com/go-gitea/gitea/issues/24784 is sourcemap related, so
if we enable/disable them all, it might go away. But it's most
definitely a Safari bug.
With all sourcemaps disabled, binary size goes down by around 1-2 MB,
with all enabled it goes up by around 12MB. If +12MB is acceptable, we
could also always enable them by default as fully source maps do have
some debugging benefits.
sillyguodong [Mon, 5 Jun 2023 14:12:55 +0000 (22:12 +0800)]
Introduce how to configure cache when starting a Runner with Docker (#25077)
If a user starts a runner using a Docker image without making additional
configurations, the [cache action](https://github.com/actions/cache)
will not work properly.
Therefore, add a section in the documentation that explains how to
configure the cache correctly.
Denys Konovalov [Mon, 5 Jun 2023 07:00:12 +0000 (09:00 +0200)]
Add ability to set multiple redirect URIs in OAuth application UI (#25072)
OAuth applications can already have multiple redirect URIs if
created/edited over API.
This change allows for setting multiple redirect URIs through the UI as
a comma-separated list (e. g.
`https://example.org/redirect,https://redirect.example.org`)
<details>
<summary>Screenshots</summary>
![Bildschirmfoto vom 2023-06-04
17-14-40](https://github.com/go-gitea/gitea/assets/47871822/2206dc32-e7e4-4953-9ecb-e098890b3f54)
![Bildschirmfoto vom 2023-06-04
17-14-50](https://github.com/go-gitea/gitea/assets/47871822/cd97c73c-9310-44ee-a83a-b927a1ef94da)
Jack Hay [Sun, 4 Jun 2023 18:57:16 +0000 (14:57 -0400)]
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
wxiaoguang [Sat, 3 Jun 2023 14:03:41 +0000 (22:03 +0800)]
Use a separate admin page to show global stats, remove `actions` stat (#25062)
Before, Gitea shows the database table stats on the `admin dashboard`
page.
It has some problems:
* `count(*)` is quite heavy. If tables have many records, this blocks
loading the admin page blocks for a long time
* Some users had even reported issues that they can't visit their admin
page because this page causes blocking or `50x error (reverse proxy
timeout)`
* The `actions` stat is not useful. The table is simply too large. Does
it really matter if it contains 1,000,000 rows or 9,999,999 rows?
* The translation `admin.dashboard.statistic_info` is difficult to
maintain.
So, this PR uses a separate page to show the stats and removes the
`actions` stat.
Denys Konovalov [Sat, 3 Jun 2023 03:59:28 +0000 (05:59 +0200)]
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.
It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.
As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.
Also add some docs for it, please check language as I'm not a native
English speaker.