zeripath [Tue, 22 Mar 2022 01:11:22 +0000 (01:11 +0000)]
Use IterateBufferSize whilst querying repositories during adoption check (#19140) (#19160)
Backport #19140
The adoption page checks directories to see if they are repositories by querying the
db on a per user basis. This can lead to problems if a user has a large number of
repositories or putative repositories.
This PR changes the buffering to check the db in IterataeBufferSize batches instead.
Gusted [Sun, 20 Mar 2022 21:42:31 +0000 (21:42 +0000)]
Fix NPE /repos/issues/search when not signed in (#19154) (#19155)
- Backport #19154
- Don't panic when on `/repos/issues/search?{created,assigned,mentioned,review_requested}=true` when client didn't pass any authentication.
- Resolves #19115
zeripath [Sat, 19 Mar 2022 14:20:42 +0000 (14:20 +0000)]
Do not send activation email if manual confirm is set (#19119) (#19122)
Backport #19119
If the mailer is configured then even if Manual confirm is set an activation email
is still being sent because `handleUserCreated` is not checking for this case.
zeripath [Thu, 10 Mar 2022 21:13:55 +0000 (21:13 +0000)]
If rendering has failed due to a net.OpError stop rendering (attempt 2) (#19049) (#19056)
Backport #19049
Unfortunately #18642 does not work because a `*net.OpError` does not implement
the `Is` interface to make `errors.Is` work correctly - thus leading to the
irritating conclusion that a `*net.OpError` is not a `*net.OpError`.
Here we keep the `errors.Is` because presumably this will be fixed at
some point in the golang main source code but also we add a simply type
cast to also check.
6543 [Thu, 10 Mar 2022 08:15:35 +0000 (09:15 +0100)]
fix pam authorization (#19040) (#19047)
Backport #19040
The PAM module has previously only checked the results of the authentication module.
However, in normal PAM practice most users will expect account module authorization to also be checked. Without doing this check in almost every configuration expired accounts and accounts with expired passwords will still be able to login.
This is likely to represent a significant gotcha in most configurations and cause most users configurations to be potentially insecure. Therefore we should add in the account authorization check.
## :warning: **BREAKING** :warning:
Users of the PAM module who rely on account modules not being checked will need to change their PAM configuration.
However, as it is likely that the vast majority of users of PAM will be expecting account authorization to be checked in addition to authentication we should make this breaking change to make the default behaviour correct for the majority.
---
I suggest we backport this despite the BREAKING nature because of the surprising nature of this.
Thanks to @ysf for bringing this to our attention.
zeripath [Mon, 28 Feb 2022 15:45:38 +0000 (15:45 +0000)]
Adjust error for already locked db and prevent level db lock on malformed connstr (#18923) (#18938)
Backport #18923
This PR adjusts the error returned when there is failure to lock the level db, and
permits a connections to the same leveldb where there is a different connection string.
Fix redirect when using lowercase reponame (#18775) (#18902)
* Previously, `GET {username}/{reponame}/raw///file-path` (the middle two slashes are blank to get the default branch) when the repo name has uppercase letters, e.g., https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware, using a lowercase version of the name redirected to the correct URL
* In other words both
* `GET https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware/raw///images/back.png`
* `GET https://try.gitea.io/AbdulrhmnGhanem/ch330_hardware/raw///images/back.png`
were redirecting to ` GET https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware/raw/branch/master/images/back.png`
This isn't the case after #17551. Specifically because of this [line](https://github.com/zeripath/gitea/blob/cbd5eecd148dfca5fcb1a3da469e491a84f6b32b/modules/context/repo.go#L860).
zeripath [Thu, 24 Feb 2022 01:22:46 +0000 (01:22 +0000)]
Update assignees check to include any writing team and change org sidebar (#18680) (#18873)
Backport #18680
Following the merging of #17811 teams can now have differing write and readonly permissions, however the assignee list will not include teams which have mixed perms.
Further the org sidebar is no longer helpful as it can't describe these mixed permissions situations.
Lunny Xiao [Tue, 22 Feb 2022 23:04:57 +0000 (07:04 +0800)]
Fix login with email for ldap users (#18800) (#18836)
`authenticator.Authenticate` has assume the login name is not an email, but `username` maybe an email. So when we find the user via email address, we should use `user.LoginName` instead of `username` which is an email address.
singuliere [Thu, 17 Feb 2022 17:57:05 +0000 (18:57 +0100)]
remove redundant call to UpdateRepoStats during migration (#18591) (#18794)
There is no need to call UpdateRepoStats in the InsertIssues and
InsertPullRequests function. They are only called during migration by
the CreateIssues and CreateReviews methods of the gitea uploader.
The UpdateRepoStats function will be called by the Finish method of
the gitea uploader after all reviews and issues are inserted. Calling
it before is therefore redundant and the associated SQL requests are
not cheap.
The statistics tests done after inserting an issue or a pull request
are also removed. They predate the implementation of UpdateRepoStats,
back when the calculation of the statistics was an integral part of
the migration function. The UpdateRepoStats is now tested
independantly and these tests are no longer necessary.
silverwind [Wed, 16 Feb 2022 09:26:53 +0000 (10:26 +0100)]
Various Mermaid improvements (#18776) (#18780)
* Various Mermaid improvments
- Render into iframe for improved security
- Use built-in dark theme instead of color inversion
- Remove flexbox attributes, resulting in more consistent size rendering
- Update API usage and update to latest version
* restart ci
* misc tweaks
* remove unneccesary declaration
* make it work without allow-same-origin, add loading=lazy
* remove loading attribute, does not seem to work
* rename variable
* skip roundtrip to DOM for rendering
* don't guess chart height
* update comment to make it clear it's intentional
zeripath [Mon, 14 Feb 2022 21:08:49 +0000 (21:08 +0000)]
Increase the size of the webauthn_credential credential_id field (#18739) (#18756)
* Increase the size of the webauthn_credential credential_id field (#18739)
Backport #18739
Unfortunately credentialIDs in u2f are 255 bytes long which with base32 encoding
becomes 408 bytes. The default size of a xorm string field is only a VARCHAR(255)
This problem is not apparent on SQLite because strings get mapped to TEXT there.
Fix #18727
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Ignore the migrate if u2f_registration is not exist (#18760)
zeripath [Mon, 14 Feb 2022 13:13:41 +0000 (13:13 +0000)]
Send mail to issue/pr assignee/reviewer also when OnMention is set (#18707) (#18765)
Backport #18707
Addresses #17892, where emails notifications are not sent to assignees (issue and PR) and reviewers (PR) when they have the email setting Only email on mention enabled.
From the user experience perspective, when a user gets a issue/PR assigned or a PR review request, he/she would expect to be implicitly mentioned since the assignment or request is personal and targeting a single person only. Thus I see #17892 as a bug. Could we therefore mark this ticket as such?
The changed code just explicitly checks for the EmailNotificationsOnMention setting beside the existing EmailNotificationsEnabled check. Too rude?
@lunny mentioned a mock mail server for tests, is there something ready. How could I make use of it?
silverwind [Sat, 12 Feb 2022 10:43:08 +0000 (11:43 +0100)]
Reduce CI go module downloads, add make targets (#18708, #18475, #18443) (#18741)
Backport #18708
Backport #18475
Backport #18443
The CI currently downloads all go modules in each pipeline step because go modules reside outside the project directory. Fix this by introducing a volume for the `/go` directory [1] so modules are only downloaded once per pipeline using a new `deps-backend` make target.
For completeness, I also included new `deps` and `deps-frontend` targets and the frontend one is also triggered explicitly on CI where needed.
* Also backports #18475 and #18443 so that is was able to merge cleanly. Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
wxiaoguang [Fri, 11 Feb 2022 16:23:41 +0000 (00:23 +0800)]
Update object repo with the migrated repository (#18684) (#18726)
When migrating a repository (from GitHub) using the API (**POST** `repos/migrate`), the Code Indexer is not updated. Searching in the user interface will not return any results.
When migrating the same repository using **+/New Migration** in the web interface, the search index is updated and searching works as expected.
Caused by the fact that object `repo` is never updated with the migrated repo so `setting.Indexer.RepoIndexerEnabled && !repo.IsEmpty` in `modules/notification/indexer/indexer.go:NotifyMigrateRepository` always evaluates to `false`.
Tested with gitea:1.16.1, MariaDB:10, Breve in `Run Mode: Dev`.
Co-authored-by: Hugo Hoitink <10838836+hoitih@users.noreply.github.com>
zeripath [Thu, 10 Feb 2022 15:17:44 +0000 (15:17 +0000)]
Prevent security failure due to bad APP_ID (#18678) (#18682)
Backport #18678
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.
Also we should allow [u2f] as-well as [U2F] sections.
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
zeripath [Thu, 10 Feb 2022 11:37:53 +0000 (11:37 +0000)]
Fix issue with docker-rootless shimming script (#18690) (#18699)
Backport #18690
There is a problem with the current shimming script in that it will double quote the
provided GITEA_APP_INI due to a mistake in the bash. Here we change this to use a bash array.
zeripath [Tue, 8 Feb 2022 21:28:21 +0000 (21:28 +0000)]
Restart zero worker if there is still work to do (#18658) (#18672)
* Restart zero worker if there is still work to do (#18658)
Backport #18658
It is possible for the zero worker to timeout before all the work is finished.
This may mean that work may take a long time to complete because a worker will only
be induced on repushing.
Also ensure that requested count is reset after pulls and push mirror sync requests and add some more trace logging to the queue push.
Fix #18607
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update modules/queue/workerpool.go
zeripath [Mon, 7 Feb 2022 01:25:05 +0000 (01:25 +0000)]
If rendering has failed due to a net.OpError stop rendering (#18642) (#18645)
Backport #18642
When a net.OpError occurs during rendering the underlying connection is essentially
dead and therefore attempting to render further data will only cause further errors.
Therefore in serverErrorInternal detect if the passed in error is an OpError and
if so do not attempt any further rendering.