zeripath [Mon, 22 Nov 2021 22:32:16 +0000 (22:32 +0000)]
More pleasantly handle broken or missing git repositories (#17747)
* More pleasantly handle broken or missing git repositories
In #17742 it was noted that there a completely invalid git repository underlying a
repo on gitea.com. This happened due to a problem during a migration however, it
is not beyond the realms of possibility that a corruption could occur to another
user.
This PR adds a check to RepoAssignment that will detect if a repository loading has
failed due to an absent git repository. It will then show a page suggesting the user
contacts the administrator or deletes the repository.
Fix #17742
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update options/locale/locale_en-US.ini
Gusted [Mon, 22 Nov 2021 13:05:29 +0000 (13:05 +0000)]
Make `bind` error more readable (#17750)
- Add the related fieldNames into the response JSON, such that the developer can figure out what's going on.
- Related:
https://github.com/go-gitea/gitea/issues/17126#issuecomment-937848295
Jimmy Praet [Mon, 22 Nov 2021 12:20:16 +0000 (13:20 +0100)]
Improvements to content history (#17746)
* Improvements to content history
* initialize content history when making an edit to an old item created before the introduction of content history
* show edit history for code comments on pull request files tab
* Fix a flaw in keepLimitedContentHistory
Fix a flaw in keepLimitedContentHistory, the first and the last should never be deleted
* Remove obsolete eager initialization of content history
wxiaoguang [Mon, 22 Nov 2021 11:40:17 +0000 (19:40 +0800)]
Fix project board bug and improve documents (#17753)
* the project board was broken, this PR fixes it, and refactor the code, and we prevent the uncategorized column from being dragged.
* improve the frontend guideline (as discussed in https://github.com/go-gitea/gitea/pull/17699)
silverwind [Mon, 22 Nov 2021 08:19:01 +0000 (09:19 +0100)]
Add new JS linter rules (#17699)
* Add new JS linter rules
Adds a few useful rules from eslint-plugin-github. Notable changes:
- Forbid dataset usage, its camel-casing behaviour makes it hard to
grep for attributes.
- Forbid .then() and .catch(), we should generally prefer await for new
code. For rare cases where they are useful, a eslint-disable-line
directive can be set.
- Add docs js to linting
* also enable github/array-foreach
* small tweak
Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
zeripath [Sun, 21 Nov 2021 16:51:08 +0000 (16:51 +0000)]
Allow Loading of Diffs that are too large (#17739)
* Allow Loading of Diffs that are too large
This PR allows the loading of diffs that are suppressed because the file
is too large. It does not handle diffs of files which have lines which
are too long.
zeripath [Sat, 20 Nov 2021 13:50:00 +0000 (13:50 +0000)]
Enable show more files in diff for git <2.31 (#17733)
Unfortunately due to a misread on my behalf I missed that git diff only learned
--skip-to in version 2.31.0. Thus this functionality was not working on older versions
of git.
This PR adds a handler that simply allows for us to skip reading the diffs until
we find the correct file to skip to.
zeripath [Sat, 20 Nov 2021 12:12:59 +0000 (12:12 +0000)]
Make a.add-code-comment click handler an event handler (#17737)
Instead of directly attaching the add-code-comment on click handler to
the a.add-code-comment elements - make this an event handler on the
document instead.
wxiaoguang [Fri, 19 Nov 2021 17:10:41 +0000 (01:10 +0800)]
Better builtin avatar generator (#17707)
This PR fixes the builtin avatar generator.
1. The random background color makes some images very dirty. So now we only use white background for avatars.
2. We use left-right mirror avatars to satisfy #14799
3. Fix a small padding error in the algorithm
zeripath [Fri, 19 Nov 2021 15:35:20 +0000 (15:35 +0000)]
Add settings to allow different SMTP envelope from address (#17479)
* Add settings to allow different SMTP envelope from address
Sometimes it may be advisable to hide or alias the from address on an SMTP mail
envelope. This PR adds two new options to the mailer to allow setting of an overriding
from address.
Allow Token API calls be authorized using the reverse-proxy header (#15119)
* API calls authorized with HTTP header
This mod allows API calls to be authorized with HTTP header
when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled. Without
it user authenticated by reverse proxy is able to access
gitea UI but not API which is inconsistent.
KN4CK3R [Fri, 19 Nov 2021 10:46:47 +0000 (11:46 +0100)]
Prevent double sanitize (#16386)
* Prevent double sanitize.
* Use SanitizeReaderToWriter.
At the moment `actualRender` uses `SanitizeReader` to sanitize the output. But `SanitizeReader` gets called in `markup.render` too so the output gets sanitized twice.
I moved the `SanitizeReader` call into `RenderRaw` because this method does not use `markup.render`. I would like to remove the `RenderRaw`/`RenderRawString` methods too because they are only called from tests, the fuzzer and the `/markup/raw` api endpoint. This endpoint is not in use so I think we could remove them. If we really in the future need a method to render markdown without PostProcessing we could achieve this with a more flexible `renderer.NeedPostProcess` method.
Gusted [Fri, 19 Nov 2021 02:28:27 +0000 (02:28 +0000)]
perf: sent `data-path` once for each file (#17657)
- Don't sent it with each line, instead send it at the top-element for each file.
- Related:
https://github.com/go-gitea/gitea/pull/17618#issuecomment-968192761
wxiaoguang [Thu, 18 Nov 2021 16:45:00 +0000 (00:45 +0800)]
Refactor repo-legacy.js, remove messy global variables. Fix errors. (#17646)
Refactor repo-legacy.js, remove messy global variables. Fix errors.
Fix an error in Sortable
Fix a incorrect call assignMenuAttributes from the template
Gusted [Thu, 18 Nov 2021 14:45:56 +0000 (14:45 +0000)]
Add pagination to fork list (#17639)
- Resolves #14574
- Adds the necessary code to have pagination working in the forks list of
a repo. The code is mostly in par with the stars/watcher implementation.
Gusted [Thu, 18 Nov 2021 13:25:56 +0000 (13:25 +0000)]
Fix possible panic (#17694)
- The code will get the first and second character `link[{0,1]]`.
However in a rare case the `link` could have 1 character and thus the
`link[1]` will create a panic.
Gusted [Wed, 17 Nov 2021 18:08:25 +0000 (18:08 +0000)]
Sanitize user-input on file name (#17666)
* Sanitize user-input on file name
- Sanitize user-input before it get passed into the DOM.
- Prevent things like "<iframe onload=alert(1)></iframe>" from being
executed. This isn't a XSS attack as the server seems to be santizing
the path as well.
Gusted [Wed, 17 Nov 2021 05:41:01 +0000 (05:41 +0000)]
Update golangci-lint in Makefile (#17647)
* Update golangci-lint in Makefile
- Partially resolvess #17596
- Download specific version(v1.43.0) by default.
- If current installed version is older than the minium version, it will
download the mininium required version.
- Update the install script to avoid deprecated error
`golangci/golangci-lint err this script is deprecated, please do not use
it anymore. check https://github.com/goreleaser/godownloader/issues/207`
zeripath [Tue, 16 Nov 2021 18:18:25 +0000 (18:18 +0000)]
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
This is an extensive PR attempting to fix these issues.
1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future.
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>
wxiaoguang [Tue, 16 Nov 2021 02:21:13 +0000 (10:21 +0800)]
Fix database deadlock when update issue labels (#17649)
This fix updates issue labels one by one, and won't cause database deadlock.
In future, we can use a batch API to update all changed labels by one request.
Gusted [Mon, 15 Nov 2021 06:02:53 +0000 (06:02 +0000)]
Remove unnecassary calls to `filepath.Join` (#17608)
- Partialy resolvess #17596
- Resolves `badCall` errors from go-critic `badCall: suspicious Join on
1 argument`
- When only 1 argument is passed into `filepath.Join`, it won't do
anything special other than `filepath.Clean(...)` will be applied over
it.
zeripath [Sat, 13 Nov 2021 11:28:50 +0000 (11:28 +0000)]
Correctly handle failed migrations (#17575)
* Correctly handle failed migrations
There is a bug in handling failed migrations whereby the migration task gets decoupled
from the migration repository. This leads to a failure of the task to get deleted with
the repository and also leads to the migration failed page resulting in a ISE.
This PR removes the zeroing out of the task id from the migration but also makes
the migration handler tolerate missing tasks much nicer.