aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix token generation when using INTERNAL_TOKEN_URI (#21669)wxiaoguang2022-11-032-6/+20
| | | | | | | | | | | Fix https://github.com/go-gitea/gitea/issues/21666 Caused by https://github.com/go-gitea/gitea/pull/19663 Before: when install, the INTERNAL_TOKEN was always generated and saved. But the internal token may be already there by INTERNAL_TOKEN_URI After: INTERNAL_TOKEN_URI file must be non-empty. When install, skip internal token generation if the token exists.
* Clean up formatting on install page (#21668)zeripath2022-11-032-31/+52
| | | | | | | | | | | | | | | | | | | | | The install page has been somewhat inconsistently styled for a while. This PR simplifies and standardises the styling of these fields makes things line up better across widths. Replace #21660 Signed-off-by: Andrew Thornton <art27@cantab.net> Old: ![Screenshot from 2022-11-02 23-07-05](https://user-images.githubusercontent.com/1824502/199619007-4a6b66c5-e19c-4d29-b71b-9aa73f2789ca.png) New: ![Screenshot from 2022-11-02 23-04-28](https://user-images.githubusercontent.com/1824502/199618779-370f88e7-b590-4abd-afb9-b66cc3194a5d.png) Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add Webhook authorization header (#20926)oliverpool2022-11-0325-263/+671
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | _This is a different approach to #20267, I took the liberty of adapting some parts, see below_ ## Context In some cases, a weebhook endpoint requires some kind of authentication. The usual way is by sending a static `Authorization` header, with a given token. For instance: - Matrix expects a `Bearer <token>` (already implemented, by storing the header cleartext in the metadata - which is buggy on retry #19872) - TeamCity #18667 - Gitea instances #20267 - SourceHut https://man.sr.ht/graphql.md#authentication-strategies (this is my actual personal need :) ## Proposed solution Add a dedicated encrypt column to the webhook table (instead of storing it as meta as proposed in #20267), so that it gets available for all present and future hook types (especially the custom ones #19307). This would also solve the buggy matrix retry #19872. As a first step, I would recommend focusing on the backend logic and improve the frontend at a later stage. For now the UI is a simple `Authorization` field (which could be later customized with `Bearer` and `Basic` switches): ![2022-08-23-142911](https://user-images.githubusercontent.com/3864879/186162483-5b721504-eef5-4932-812e-eb96a68494cc.png) The header name is hard-coded, since I couldn't fine any usecase justifying otherwise. ## Questions - What do you think of this approach? @justusbunsi @Gusted @silverwind - ~~How are the migrations generated? Do I have to manually create a new file, or is there a command for that?~~ - ~~I started adding it to the API: should I complete it or should I drop it? (I don't know how much the API is actually used)~~ ## Done as well: - add a migration for the existing matrix webhooks and remove the `Authorization` logic there _Closes #19872_ Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: delvh <dev.lh@web.de>
* feat: notify doers of a merge when automerging (#21553)kolaente2022-11-0318-27/+87
| | | | | | | | | | | | | | | | | | | | | | I found myself wondering whether a PR I scheduled for automerge was actually merged. It was, but I didn't receive a mail notification for it - that makes sense considering I am the doer and usually don't want to receive such notifications. But ideally I want to receive a notification when a PR was merged because I scheduled it for automerge. This PR implements exactly that. The implementation works, but I wonder if there's a way to avoid passing the "This PR was automerged" state down so much. I tried solving this via the database (checking if there's an automerge scheduled for this PR when sending the notification) but that did not work reliably, probably because sending the notification happens async and the entry might have already been deleted. My implementation might be the most straightforward but maybe not the most elegant. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Remove deprecated DSA host key from Docker Container (#21522)Xinyu Zhou2022-11-032-12/+0
| | | | | | | | | | | | | | | Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html ## :warning: BREAKING :warning: This patch will remove DSA host key form OpenSSH daemon configuration file. Signed-off-by: baronbunny <its@baronbunny.cn> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Alter package_version.metadata_json to LONGTEXT (#21667)KN4CK3R2022-11-033-1/+29
|
* Handle branch name with prefix in GitHub migration (#20357)Chongyi Zheng2022-11-031-1/+6
| | | | | | | | | GitHub allows releases with target commitish `refs/heads/BRANCH`, which then causes issues in Gitea after migration. This fix handles cases that a branch already has a prefix. Fixes #20317 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* [skip ci] Updated translations via CrowdinLunny Xiao2022-11-033-0/+19
|
* Split migrations folder (#21549)Lunny Xiao2022-11-02190-1481/+1711
| | | | There are too many files in `models/migrations` folder so that I split them into sub folders.
* [skip ci] Updated translations via CrowdinGusted2022-11-021-1/+1
|
* Configure update checker on installation page (#21655)Gusted2022-11-014-0/+11
| | | | | | | | | - I recently became aware that this was enabled by-default, I don't necessary agree with that and this should rather be configured by the user(this patch does that on the installation page) as it connects to a homeserver, which I'd prefer to avoid on my instance. ![image](https://user-images.githubusercontent.com/25481501/199260613-a77a1b10-347a-4542-8982-9b9b24dad28c.png)
* Fix repository adoption on Windows (#21646)zeripath2022-10-312-9/+10
| | | | | | | | | | | | A bug was introduced in #17865 where filepath.Join is used to join putative unadopted repository owner and names together. This is incorrect as these names are then used as repository names - which shoud have the '/' separator. This means that adoption will not work on Windows servers. Fix #21632 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Refactor docs (#21627)Xinyu Zhou2022-10-3116-175/+7
| | | | | | | | | | | | | | This patch: - Rename some files( `.md` to `.en-us.md`), fix missed translation copy - Update link which shoud be refer to `../hacking-on-gitea/` instead of `../make/` (outdated) - Update `_redirects`: - redirect `/{zh-cn|fr-fr}/make/` to `../hacking-on-gitea/` - redirect `/zh-cn/third-party-tools/` to `/zh-cn/integrations/` - Delete duplicated/outdated files. - Update menu `weight` of developers.zh-cn.md Signed-off-by: Xinyu Zhou <i@sourcehut.net>
* Update "email usage" page to current ver. (1.18) (#21649)melkor02022-10-311-2/+4
| | | | | In version 1.18 the naming scheme for smtp has been changed, HOST has been split in SMTP_ADDR and SMTP_PORT (https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer).
* Fix opaque background on mermaid diagrams (#21642)silverwind2022-10-312-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Browsers introduce a opaque background on iframes if the iframe element's color-scheme does not match the document's color scheme which in case of a dark theme results in a mismatch and the browser adds a white background. Avoid this by specifying the same color scheme outside and inside the iframe. See https://fvsch.com/transparent-iframes for more info. My initial attempt was to make the iframe document the same color-scheme as the parent page (light or dark) but with that, there was a ugly background flash on load in Chrome because Chrome apparently always loads iframe in light scheme initially. Firefox still shows a background flash on load but this is not possible to get rid of and it's certainly a browser bug. Before: <img width="1147" alt="Screen Shot 2022-10-31 at 13 30 55" src="https://user-images.githubusercontent.com/115237/199017132-9828aace-bdd0-4ede-8118-359e72bcf2fe.png"> After: <img width="1152" alt="Screen Shot 2022-10-31 at 13 30 36" src="https://user-images.githubusercontent.com/115237/199017137-989a9e67-3fe0-445f-a191-df5bf290dabf.png">
* Merge db.Iterate and IterateObjects (#21641)Lunny Xiao2022-10-3112-51/+77
| | | These two functions are similiar, merge them.
* Deal with markdown template without metadata (#21639)Jason Song2022-10-312-10/+24
| | | | | | | | | | | | | | Fixed #21636. Related to #20987. A markdown template without metadata should not be treated as an invalid template. And this PR fixed another bug that non-template files(neither .md nor .yaml) are treated as yaml files. <img width="504" alt="image" src="https://user-images.githubusercontent.com/9418365/198968668-40082fa1-4f25-4d3e-9b73-1dbf6d1a7521.png">
* [skip ci] Updated translations via CrowdinKN4CK3R2022-10-312-2/+17
|
* [skip ci] Updated licenses and gitignoresKN4CK3R2022-10-302-0/+20
|
* Keep languages defined in .gitattributes (#21403)KN4CK3R2022-10-292-19/+51
| | | | | | | | | | | | | Fixes #21377 This marks all "defined" languages in the `.gitattributes` file so they are not removed if they are not of type `programming` or `markup`. ![grafik](https://user-images.githubusercontent.com/1666336/194942021-1e641b60-bb8a-49c6-9a1c-413e7c4ba17d.png) Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* [skip ci] Updated translations via CrowdinJason Song2022-10-291-0/+1
|
* Sync git hooks when config file path changed (#21619)Jason Song2022-10-282-4/+15
| | | | | | | | A patch to #17335. Just like AppPath, Gitea writes its own CustomConf into git hook scripts too. If Gitea's CustomConf changes, then the git push may fail. Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Allow disable sitemap (#21617)Xinyu Zhou2022-10-284-4/+15
| | | | | | | This patch provide a mechanism to disable [sitemap](https://github.com/go-gitea/gitea/pull/18407). Signed-off-by: Xinyu Zhou <i@sourcehut.net> Co-authored-by: 6543 <6543@obermui.de>
* fix: PR status layout on mobile (#21547)kolaente2022-10-282-8/+48
| | | | | | | | | | | | | | | | | This PR fixes the layout of PR status layouts on mobile. For longer status context names or on very small screens the text would overflow and push the "Details" and "Required" badges out of the container. Before: ![Screen Shot 2022-10-22 at 12 27 46](https://user-images.githubusercontent.com/13721712/197335454-e4decf09-4778-43e8-be88-9188fabbec23.png) After: ![Screen Shot 2022-10-22 at 12 53 24](https://user-images.githubusercontent.com/13721712/197335449-2c731a6c-7fd6-4b97-be0e-704a99fd3d32.png) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Make rss/atom identifier globally unique (#21550)Yarden Shoham2022-10-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This field should be globally unique. [RSS reference](https://www.rssboard.org/rss-specification#ltguidgtSubelementOfLtitemgt). ### Before ```xml <item> <title>abc opened issue &lt;a href=&#34;https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg/issues/1&#34;&gt;abc/defg#1&lt;/a&gt;</title> <link>https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg/issues/1</link> <description>1#Colors</description> <content:encoded><![CDATA[<p><code>#FF0000<span class="color-preview" style="background-color: #FF0000"></span></code></p> ]]></content:encoded> <author>abc</author> <guid>2</guid> <pubDate>Mon, 17 Oct 2022 16:06:08 +0000</pubDate> </item> <item> <title>abc created repository &lt;a href=&#34;https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg&#34;&gt;abc/defg&lt;/a&gt;</title> <link>https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg</link> <description></description> <author>abc</author> <guid>1</guid> <pubDate>Mon, 17 Oct 2022 16:05:43 +0000</pubDate> </item> ``` ### After ```xml <item> <title>abc opened issue &lt;a href=&#34;https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg/issues/1&#34;&gt;abc/defg#1&lt;/a&gt;</title> <link>https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg/issues/1</link> <description>1#Colors</description> <content:encoded><![CDATA[<p><code>#FF0000<span class="color-preview" style="background-color: #FF0000"></span></code></p> ]]></content:encoded> <author>abc</author> <guid>2: https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg/issues/1</guid> <pubDate>Mon, 17 Oct 2022 16:06:08 +0000</pubDate> </item> <item> <title>abc created repository &lt;a href=&#34;https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg&#34;&gt;abc/defg&lt;/a&gt;</title> <link>https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg</link> <description></description> <author>abc</author> <guid>1: https://3000-yardenshoham-gitea-3pzuhkduf6t.ws-eu72.gitpod.io/abc/defg</guid> <pubDate>Mon, 17 Oct 2022 16:05:43 +0000</pubDate> </item> ``` * Fixes #21542 Signed-off-by: Yarden Shoham <hrsi88@gmail.com> Co-authored-by: Lauris BH <lauris@nix.lv>
* Fix UI column width, button overflow Fomantic's grid (#21559)Xinyu Zhou2022-10-281-1/+1
| | | | | | | | | | | | | | | resolved #21310 Before: ![](https://user-images.githubusercontent.com/76462613/197395358-78698f7f-776a-4ed1-954e-e6c09a648f2b.png) After: ![](https://user-images.githubusercontent.com/76462613/197395356-63289761-a0d4-47a7-a103-a6e6f4ad2eed.png) Signed-off-by: baronbunny <its@baronbunny.cn> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Localize time units on activity heatmap (#21570)Yarden Shoham2022-10-284-7/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the months and days were hardcoded into English * Closes #15541 ## Screenshots ### English ![image](https://user-images.githubusercontent.com/20454870/197410352-1b28a637-ce19-41ae-b4e5-27955555b082.png) ### German ![image](https://user-images.githubusercontent.com/20454870/197410455-f243ca84-807f-476e-b8ed-c24e827bfc2d.png) ### Spanish ![image](https://user-images.githubusercontent.com/20454870/197410366-55202ca5-08f9-4152-8f9d-d5eeebd532ef.png) ### Italian ![image](https://user-images.githubusercontent.com/20454870/197410385-75f754dd-e845-4444-8a04-472a8f45b617.png) ### Portuguese This one has a bit of overflow ![image](https://user-images.githubusercontent.com/20454870/197410414-b91f962e-77e9-4cc7-990b-01c0fc0cbd0b.png) Signed-off-by: Yarden Shoham <hrsi88@gmail.com> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Use right syntax for symbolic-ref command (#21577)Clar Fon2022-10-281-1/+1
| | | | | | | Follow-up to #21352: when testing this out, I found out that the syntax for the `symbolic-ref` command was different than originally assumed in that PR. Never got around to submitting a PR until now. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Update JS dependencies and misc tweaks (#21583)silverwind2022-10-2819-827/+867
| | | | | | | | | | | - Update all JS dependencies to latest version - Disable two redundant eslint rules - Adapt stylelint config to codebase - Regenerate SVGs - Make file editor spinner "reserve" height so page does not shift - Tested katex, swagger, monaco Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: 6543 <6543@obermui.de>
* Add index for hook_task table (#21545)Lunny Xiao2022-10-283-7/+28
| | | | Since `hook_id` and `uuid` will become a search condition column. It's better to add some index for them.
* Revert: auto generate INTERNAL_TOKEN (#21608)wxiaoguang2022-10-281-0/+19
| | | | | | | | Follow #19663 Some users do cluster deployment, they still depend on this auto-generating behavior. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Use CSS color-scheme instead of invert (#21616)silverwind2022-10-282-3/+3
| | | | | | | | | | | | | | | | | | | | | | The [`color-scheme`](https://developer.mozilla.org/en-US/docs/Web/CSS/color-scheme) property changes the base color of certain form elements like the datepicker icon in Chrome. Set it and remove the previous invert hack. Before with invert removed: <img width="840" alt="Screen Shot 2022-10-27 at 11 42 54" src="https://user-images.githubusercontent.com/115237/198251927-b742e14e-0c62-492c-b667-ee6c69de4ad8.png"> <img width="238" alt="Screen Shot 2022-10-27 at 12 23 28" src="https://user-images.githubusercontent.com/115237/198260413-37c1ca85-c2de-4c09-8b37-6aa8a23ab575.png"> After: <img width="841" alt="Screen Shot 2022-10-27 at 11 43 05" src="https://user-images.githubusercontent.com/115237/198251934-568fa291-0d18-4cd4-adec-58ae1ad90ab2.png"> <img width="839" alt="Screen Shot 2022-10-27 at 11 44 36" src="https://user-images.githubusercontent.com/115237/198251936-a435105e-572b-41f6-8262-a53820f1d364.png"> <img width="243" alt="Screen Shot 2022-10-27 at 12 23 42" src="https://user-images.githubusercontent.com/115237/198260432-5eaffc82-ffb8-4559-b1c2-08a39e8f4427.png"> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* [skip ci] Updated translations via Crowdinmpeter502022-10-281-0/+26
|
* Improve documentation (#21612)mpeter502022-10-271-2/+2
| | | | | | | | | | Fix file reference at the FLAGS line at the Log subsections heading, improve COLORIZE line wording. The FLAGS line referenced a file that doesn't exist in the repository as of now. The COLORIZE line's wording implied that it would unconditionally colorize the log by default. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* [skip ci] Updated translations via Crowdinqwerty2872022-10-271-0/+14
|
* Fix 500 on PR files API (#21602)qwerty2872022-10-261-1/+5
| | | | | | | | | Fixes an 500 error/panic if using the changed PR files API with pages that should return empty lists because there are no items anymore. `start-end` is then < 0 which ends in panic. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: delvh <dev.lh@web.de>
* Fix `Timestamp.IsZero` (#21593)KN4CK3R2022-10-261-1/+1
| | | | | | | | | | Our implementation of `IsZero` can't work. An "empty" timestamp (= 0) calls `time.Unix(int64(ts), 0).IsZero()` which is always `false`. Only `time.Time{}.IsZero()` is `true`. We call this method ~~only at one place~~ and there the value (`UpdatedUnix`) should be always != 0 so this PR may not have consequences. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* [skip ci] Updated translations via Crowdinv1.19.0-devtechknowlogick2022-10-2625-73/+1
|
* Revert "Do not send notifications for draft releases (#21451)" (#21594)v1.18.0-rc0techknowlogick2022-10-261-8/+7
| | | | | | This reverts commit a37e8b275d19c0daf160cc540d981ec4f3025a5a / #21451 Temporarily revert this PR to be able to continue discussion, and potentially get it into 1.19.0
* Change `commits-table` column width (#21564)KN4CK3R2022-10-251-3/+3
| | | | | | | | | | | Fixes #21561 Before ![image](https://user-images.githubusercontent.com/20903656/197388658-0ea1d941-8bc7-4f10-b5db-4ece8602b13a.png) After ![image](https://user-images.githubusercontent.com/20903656/197388665-78fb8421-105d-408d-84cf-a86b1cc61e2e.png)
* Fix issues count bug (#21557)Lunny Xiao2022-10-254-45/+27
| | | | | fix #19349 , #19505 Co-authored-by: delvh <dev.lh@web.de>
* Improve code comment review on mobile (#21461)Gusted2022-10-257-17/+44
| | | | | | | | | | | | | | | | | | | | | | | | | - Fix placement of avatar image, this was not placed in the `comment-header-left` and add CSS to cover the limiting of width+height of avatar for code-review comment on "Files changed" page. This fixes the big noticeable avatar issue. - Apply `margin-bottom` to the "next" button, so it's consistent with the "previous" button. - Make sure the "next"/"previous" start at `flex-start` on mobile and not off-screen at `flex-end`. As well force them to have `flex: 1` so they won't overflow on x-asis. This also requires the `width: 100%` for the `.ui.buttons` div. - Resolves #20074 ### Before <details><img width="512" src="https://user-images.githubusercontent.com/25481501/195952930-09560cad-419f-43a3-a8a4-a4166c117994.jpg"></details> ### After <details><img width="512" src="https://user-images.githubusercontent.com/25481501/197340081-0365dfa8-4344-46b4-8702-a40c778c073f.jpg"></details> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
* Consolidate remaining colors into variables (#21582)silverwind2022-10-253-121/+370
| | | | | | | | | | | | | | | | | Remove remaining non-color variables in arc-green, so the theme is now 100% defined from variables (excluding inverts). Adjusted red/green to match previous overwritten colors. `--color-gold-light` is removed, it was unused and is not part of fomantic colors. <img width="772" alt="Screen Shot 2022-10-24 at 20 22 25" src="https://user-images.githubusercontent.com/115237/197599339-1d1bf6e3-aa90-4f38-9753-24effd4b178d.png"> <img width="275" alt="Screen Shot 2022-10-24 at 20 25 52" src="https://user-images.githubusercontent.com/115237/197599344-79c1d3ac-c709-4e30-a60b-4738af672c12.png"> <img width="446" alt="Screen Shot 2022-10-24 at 20 26 46" src="https://user-images.githubusercontent.com/115237/197599346-f2ef6449-7efd-4f81-bbb6-e7bee4528f50.png"> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* [skip ci] Updated translations via CrowdinYarden Shoham2022-10-2529-0/+78
|
* Add sqlite vscode extension to Gitpod configuration (#21552)Yarden Shoham2022-10-241-0/+1
| | | | | | | | It allows for quick database inspections in the IDE. ![image](https://user-images.githubusercontent.com/20454870/197355299-222f5027-aba8-4fe2-b1d4-fff93d5ccb3c.png) Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
* Replace all instances of fmt.Errorf(%v) with fmt.Errorf(%w) (#21551)delvh2022-10-24207-857/+857
| | | | | | | | | Found using `find . -type f -name '*.go' -print -exec vim {} -c ':%s/fmt\.Errorf(\(.*\)%v\(.*\)err/fmt.Errorf(\1%w\2err/g' -c ':wq' \;` Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix package access for admins and inactive users (#21580)KN4CK3R2022-10-244-3/+34
| | | | | | | | I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
* Allow for resolution of NPM registry paths that match upstream (#21568)Wayne Starr2022-10-243-1/+52
| | | | | | | | | | | | This PR fixes issue #21567 allowing for package tarball URLs to match the upstream registry (and GitLab/JFrog Artifactory URLs). It uses a regex to parse the filename (which contains the NPM version) and does a fuzzy search to pull it out. The regex was built/expanded from http://json.schemastore.org/package, https://github.com/Masterminds/semver, and https://docs.npmjs.com/cli/v6/using-npm/semver and is testable here: https://regex101.com/r/OydBJq/5 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Added missing headers on user packages page (#21172)Vladimir Yakovlev2022-10-241-0/+16
| | | | | | | | | | | User packages page had missing tabs. ![packages-2](https://user-images.githubusercontent.com/183965/190411160-c8138a8c-dbc4-4cf1-af2c-52497a10cee8.png) ![packages-1](https://user-images.githubusercontent.com/183965/190411155-af2cb398-c9a0-4fcc-adcd-1711aaa28345.png) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Lauris BH <lauris@nix.lv>
* Record OAuth client type at registration (#21316)M Hickford2022-10-2422-60/+226
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>