aboutsummaryrefslogtreecommitdiffstats
path: root/custom
Commit message (Collapse)AuthorAgeFilesLines
* Add proxy settings and support for migration and webhook (#16704)Lunny Xiao2021-08-181-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | * Add proxy settings and support for migration and webhook * Fix default value * Add newline for example ini * Add lfs proxy support * Fix lint * Follow @zeripath's review * Fix git clone * Fix test * missgin http requests for proxy * use empty Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
* Add API Token Cache (#16547)zeripath2021-08-171-0/+4
| | | | | | | | | | | | | | | | | One of the issues holding back performance of the API is the problem of hashing. Whilst banning BASIC authentication with passwords will help, the API Token scheme still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can still cause enormous numbers of hash computations. A slight solution to this whilst we consider moving to using JWT based tokens and/or a session orientated solution is to simply cache the successful tokens. This has some security issues but this should be balanced by the security issues of load from hashing. Related #14668 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Allow setting X-FRAME-OPTIONS (#16643)zeripath2021-08-061-0/+3
| | | | | | | | | | | | | | | * Allow setting X-FRAME-OPTIONS This PR provides a mechanism to set the X-FRAME-OPTIONS header. Fix #7951 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
* Make Mermaid.js limit configurable (#16519)zeripath2021-07-241-0/+9
| | | | | | | | | | | | | | | | | | | | | | | * Make Mermaid.js limit configurable Add `MERMAID_MAX_SOURCE_CHARACTERS` to `[markup]` settings to make the maximum size of a mermaid render configurable. Fix #16513 Signed-off-by: Andrew Thornton <art27@cantab.net> * fixup! Make Mermaid.js limit configurable * Update custom/conf/app.example.ini Co-authored-by: silverwind <me@silverwind.io> * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* add configuration option to restrict users by default (#16256)Richard Nienaber2021-07-151-0/+3
| | | | | | | | | | | | | | | | | | * add configuration option to restrict users by default * default IsRestricted permission only set on sign up setting this in the model messes with other workflows (e.g. syncing LDAP users) where the IsRestricted permission needs to be explicitly set and not overridden by a config value * fix formatting * Apply suggestions from code review * ensure newly created user is set to restricted * ensure imports are in the correct order Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Change @every 24h default schedules to @midnight (#16431)v1.16.0-devJimmy Praet2021-07-151-7/+7
|
* Add LRU mem cache implementation (#16226)zeripath2021-07-101-1/+2
| | | | | | | | | | | | | | The current default memory cache implementation is unbounded in size and number of objects cached. This is hardly ideal. This PR proposes creating a TwoQueue LRU cache as the underlying cache for Gitea. The cache is limited by the number of objects stored in the cache (rather than size) for simplicity. The default number of objects is 50000 - which is perhaps too small as most of our objects cached are going to be much less than 1kB. It may be worth considering using a different LRU implementation that actively limits sizes or avoids GC - however, this is just a beginning implementation. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Fix various documentation, user-facing, and source comment typos (#16367)luzpaz2021-07-081-1/+1
| | | | | * Fix various doc, user-facing, and source comment typos Found via `codespell -q 3 -S ./options/locale,./vendor -L ba,pullrequest,pullrequests,readby`
* Add forge emojies (#16296)65432021-07-021-1/+1
| | | | | | | * codeberg :codeberg: * gitlab :gitlab: * git :git: * github :github: * gogs :gogs:
* Update Go-Git to take advantage of LargeObjectThreshold (#16316)zeripath2021-06-301-0/+3
| | | | | | Following the merging of https://github.com/go-git/go-git/pull/330 we can now add a setting to avoid go-git reading and caching large objects. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add Vultr and DO Marketplace links (#16297)65432021-06-291-2/+2
| | | | | | | * fix emoji img path * move cloudron * Add Vultr and DO
* Add custom emoji support (#16004)65432021-06-291-3/+8
|
* Make allowed Visiblity modes configurable for Users (#16271)65432021-06-271-0/+3
| | | | | | | Now that #16069 is merged, some sites may wish to enforce that users are all public, limited or private, and/or disallow users from becoming private. This PR adds functionality and settings to constrain a user's ability to change their visibility. Co-authored-by: zeripath <art27@cantab.net>
* Add Visible modes function from Organisation to Users too (#16069)Sergey Dryabzhinsky2021-06-261-3/+9
| | | | | | | | | | | | | | | | | | You can limit or hide organisations. This pull make it also posible for users - new strings to translte - add checkbox to user profile form - add checkbox to admin user.edit form - filter explore page user search - filter api admin and public user searches - allow admins view "hidden" users - add app option DEFAULT_USER_VISIBILITY - rewrite many files to use Visibility field - check for teams intersection - fix context output - right fake 404 if not visible Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Andrew Thornton <art27@cantab.net>
* Added support for gopher URLs. (#14749)ayb2021-06-251-0/+2
| | | | | | | | | * Added support for gopher URLs. * Add setting and make this user settable instead Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
* Rework repository archive (#14723)Lunny Xiao2021-06-231-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use storage to store archive files * Fix backend lint * Add archiver table on database * Finish archive download * Fix test * Add database migrations * Add status for archiver * Fix lint * Add queue * Add doctor to check and delete old archives * Improve archive queue * Fix tests * improve archive storage * Delete repo archives * Add missing fixture * fix fixture * Fix fixture * Fix test * Fix archiver cleaning * Fix bug * Add docs for repository archive storage * remove repo-archive configuration * Fix test * Fix test * Fix lint Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Use data path instead of config path (#16227)KN4CK3R2021-06-231-1/+10
|
* Update documentation for Implicit TLS (#16220)zeripath2021-06-211-2/+2
| | | | | | | As per RFC 8314, it is now recommended to prefer TLS over STARTTLS. Fix #16160 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Clean-up the settings hierarchy for issue_indexer queue (#16001)zeripath2021-06-161-5/+5
| | | | | | | | | There are a couple of settings in `[indexer]` relating to the `issue_indexer` queue which override settings in unpredictable ways. This PR adjusts this hierarchy and makes explicit that these settings are deprecated. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Set self-adjusting deadline for connection writing (#16068)zeripath2021-06-111-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | * Set self-adjusting deadline for connection writing In #16055 it appears that the simple 5s deadline doesn't work for large file writes. Now we can't - or at least shouldn't just set no deadline as go will happily let these connections block indefinitely. However, what seems reasonable is to set some minimum rate we expect for writing. This PR suggests the following algorithm: * Every write has a minimum timeout of 5s (adjustable at compile time.) * If there has been a previous write - then consider its previous deadline, add half of the minimum timeout + 2s per kb about to written. * If that new deadline is after the minimum timeout use that. Fix #16055 * Linearly increase timeout * Make PerWriteTimeout, PerWritePerKbTimeouts configurable Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
* Update queue workers for v1.15 (#15999)Kyle D2021-05-281-5/+5
| | | | | | | | | | | * Update queue workers for v1.15 * update app.example.ini * update re queue path Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
* add a new internal hook to save ssh log (#15787)a10121127962021-05-211-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | * add a new internal hook to save ssh log as title, when a ssh error ocure like #15785. only when switch ``RUN_MODE`` to dev can we found which error is ocure. But this way is not a good idea for production envirment. this changes try save ssh error mesage to the log file like other log by a new internal hook. I think it's usefull for find error message in production envirment. Thanks. Signed-off-by: a1012112796 <1012112796@qq.com> * rename and fix nit * Update modules/private/hook.go Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add mimetype mapping settings (#15133)Adam Szatyin2021-05-101-1/+9
| | | | | | | | | | | | | * Fix APK's Content-Type header * Fix case sensitive comparison * Add custom mime type mapping for downloadable files * Add documentation for MIME type mapping * Rename download.mimetype.mapping configuration to repository.mimetype_mapping Co-authored-by: zeripath <art27@cantab.net>
* add note about ``cron.SCHEDULE`` format in document (#15812)a10121127962021-05-101-0/+5
| | | | | | | | | | | | * add note about ``cron.SCHEDULE`` format in document Signed-off-by: a1012112796 <1012112796@qq.com> * Update custom/conf/app.example.ini Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Comment out app.example.ini (#15807)zeripath2021-05-091-1288/+2013
| | | | | | | | | | | | | | This PR is an alternative to #15559. Instead of deleting the app.example.ini - just comment out most of the thing. This makes it clear what needs to be set and what is completely optional - and keeps the documentation. The app.example.ini is moved around to move the most important settings higher in the document. Close #15559 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Allow only internal registration (#15795)65432021-05-091-0/+2
| | | | | * Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings * OpenID respect setting too
* OAuth2 login: Set account link to "login" as default behavior (#15768)65432021-05-071-1/+1
|
* add cron job to delete old actions from database (#15688)a10121127962021-05-011-0/+8
| | | | | that's a way to save database storage space. Signed-off-by: a1012112796 <1012112796@qq.com>
* Disable Stars config option (#14653)Kyle D2021-04-151-0/+2
| | | | | | | * Add config option to disable stars * Replace "stars" with watched in user profile * Add documentation
* Fixed several typos. (#15470)KN4CK3R2021-04-141-9/+9
|
* OAuth2 auto-register (#5123)Martin Michaelis2021-04-141-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactored handleOAuth2SignIn in routers/user/auth.go The function handleOAuth2SignIn was called twice but some code path could only be reached by one of the invocations. Moved the unnecessary code path out of handleOAuth2SignIn. * Refactored user creation There was common code to create a user and display the correct error message. And after the creation the only user should be an admin and if enabled a confirmation email should be sent. This common code is now abstracted into two functions and a helper function to call both. * Added auto-register for OAuth2 users If enabled new OAuth2 users will be registered with their OAuth2 details. The UserID, Name and Email fields from the gothUser are used. Therefore the OpenID Connect provider needs additional scopes to return the coresponding claims. * Added error for missing fields in OAuth2 response * Linking and auto linking on oauth2 registration * Set default username source to nickname * Add automatic oauth2 scopes for github and google * Add hint to change the openid connect scopes if fields are missing * Extend info about auto linking security risk Co-authored-by: Viktor Kuzmin <kvaster@gmail.com> Signed-off-by: Martin Michaelis <code@mgjm.de>
* Fix typo in app.example.ini (#15287)Ikko Ashimine2021-04-051-1/+1
| | | | | seperated -> separated Co-authored-by: zeripath <art27@cantab.net>
* Update docs for bad ini syntax in noreply (#15226)Kyle D2021-03-311-4/+6
|
* Add Tabular Diff for CSV files (#14661)KN4CK3R2021-03-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | Implements request #14320 The rendering of CSV files does match the diff style. * Moved CSV logic into base package. * Added method to create a tabular diff. * Added CSV compare context. * Added CSV diff template. * Use new table style in CSV markup. * Added file size limit for CSV rendering. * Display CSV parser errors in diff. * Lazy read single file. * Lazy read rows for full diff. * Added unit tests for various CSV changes.
* Add reverse proxy configuration support for remote IP address (#14959)Lauris BH2021-03-161-0/+4
| | | | | | | | | * Add reverse proxy configuration support for remote IP address validation * Trust all IP addresses in containerized environments by default * Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Make internal SSH server host key path configurable (#14918)zeripath2021-03-081-0/+4
| | | | | | | | | | | * Make SSH server host key path configurable * make it possible to have multiple keys * Make gitea.rsa the default key * Add some more logging Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add SameSite setting for cookies (#14900)zeripath2021-03-071-0/+2
| | | | | | | | | Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Allow blocking some email domains from registering an account (#14667)Damien Goutte-Gattat2021-02-151-0/+2
| | | | | | | | | Gitea allows to whitelist email domains so that only email addresses from certain domains are allowed to register an account, but does not currently allows to do the opposite: blacklisting email domains so that addresses from certain domains are *forbidden* to register an account. The idea has been briefly mentioned in the discussion about issue #6350, but never implemented. This PR does that. The rationale is that, in my experience of running a Gitea instance, *a single email domain* is responsible for *most* of the spam accounts, and for *all* of the spam accounts that manage to get past the email confirmation step. So on top of the other spam mitigation measures already available (email confirmation, CAPTCHA, etc.), having the option to block a particularly annoying domain would be helpful. close #13628
* Turn default hash password algorightm back to pbkdf2 from argon2 until we ↵Lunny Xiao2021-02-131-1/+1
| | | | | | | found a better one (#14673) * Turn default hash password algorightm back to pbkdf2 from argon2 until we found a better one * Add a warning on document
* Added option to disable webhooks (#13176)Paweł Bogusławski2021-02-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Added option to disable web hooks This mod introduces DISABLE_WEB_HOOKS parameter in [security] section of app.ini (by default set to false). If set to true it disables web hooks feature. Any existing undelivered web hook tasks will be cancelled. Any existing web hook definitions will be left untouched in db but its delivery tasks will be ignored. Author-Change-Id: IB#1105130 * Webhook spelling fixed Webhook spelling fixed. Fixes: 07df6614dc84cdd2e9f39c57577fa1062bd70012 Related: https://github.com/go-gitea/gitea/pull/13176#pullrequestreview-510868421 Author-Change-Id: IB#1105174 * Parameter description fixed Parameter description fixed. Fixes: 07df6614dc84cdd2e9f39c57577fa1062bd70012 Related: https://github.com/go-gitea/gitea/pull/13176#pullrequestreview-514086107 Author-Change-Id: IB#1105174
* Update docs and comments to remove macaron (#14491)Lunny Xiao2021-01-291-2/+0
|
* Cron job to cleanup hook_task table (#13080)Brad Albright2021-01-261-0/+15
| | | | | | | | | Close **Prune hook_task Table (#10741)** Added a cron job to delete webhook deliveries in the hook_task table. It can be turned on/off and the schedule controlled globally via app.ini. The data can be deleted by either the age of the delivery which is the default or by deleting the all but the most recent deliveries _per webhook_. Note: I had previously submitted pr #11416 but I closed it when I realized that I had deleted per repository instead of per webhook. Also, I decided allowing the settings to be overridden via the ui was overkill. Also this version allows the deletion by age which is probably what most people would want.
* Enhance Ghost comment mitigation Settings (#14392)65432021-01-211-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | * refactor models.DeleteComment and delete related reactions too * use deleteComment for UserDeleteWithCommentsMaxDays in DeleteUser * nits * Use time.Duration as other time settings have * docs * Resolve Fixme & fix potential deadlock * Disabled by Default * Update Config Value Description * switch args * Update models/issue_comment.go Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
* Add pager to the branches page (#14202)Chester Liu2021-01-191-0/+4
| | | | | | | | | | | * Add pager to the branches page * override pageSize if bigger than max * Make branches commit range configurable Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
* Implement ghost comment mitigation (#14349)65432021-01-171-0/+3
| | | | | | | | | | | | | * Implement ghost comment mitigation Adds a config option USER_DELETE_WITH_COMMENTS_MAX_DAYS to the [service] section. See https://codeberg.org/Codeberg/Discussion/issues/24 for the underlying issue. * cleanup * use setting module correctly * add to docs Co-authored-by: Moritz Marquardt <git@momar.de>
* Use Request.URL.RequestURI() for fcgi (#14312) (#14314)Kyungmin Bae2021-01-131-1/+1
|
* Display SVG files as images instead of text (#14101)Jonathan Tran2021-01-121-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change to display SVG files as images * Remove unsafe styles from SVG CSP * Add integration test to test SVG headers * Add config setting to disable SVG rendering * Add test for img tag when loading SVG image * Remove the Raw view button for svg files since we don't fully support this * Fix copyright year * Rename and move config setting * Add setting to cheat sheet in docs * Fix so that comment matches cheat sheet * Add allowing styles in CSP based on pull request feedback * Re-enable raw button since we show SVG styles now * Change so that SVG files are editable * Add UI to toggle between source and rendered image for SVGs * Change to show blame button for SVG images * Fix to update ctx data * Add test for DetectContentType when file is longer than sniffLen Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com>
* Update docs to clarify issues raised in #14272 (#14318)Nuno Silva2021-01-131-1/+8
| | | | | - example config is not supposed to be copied - 'persistable-channel' uses a leveldb internally - '*CONN_STR' overrides queue DIR
* Improve vfsgen to not unzip bindata files but send to browser directly (#7109)Lunny Xiao2020-12-241-1/+1
| | | | | | | | | | | | | | | * Don't unzip files from bindata but send to browser directly * remove dependent for httpgzip * Add tests for parseAcceptEncoding * Update docs for ENABLE_GZIP * Fix bug * Fix bug Co-authored-by: zeripath <art27@cantab.net>
* Added option to disable migrations (#13114)Paweł Bogusławski2020-12-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | * Added option to disable migrations This patch introduces DISABLE_MIGRATIONS parameter in [repository] section of app.ini (by default set to false). If set to true it blocks access to repository migration feature. This mod hides also local repo import option in user editor if local repo importing or migrations is disabled. * Alter Example config DISABLE_MIGRATIONS set to false in example config to match its default value. * HTTP error 403 instead of 500 on denied access to migration * Parameter DISABLE_MIGRATIONS exposed via API Fixes: 04b04cf854bcb3ed7659442bcf79822bdebe29e9 Author-Change-Id: IB#1105130