summaryrefslogtreecommitdiffstats
path: root/modules/setting
Commit message (Collapse)AuthorAgeFilesLines
* Fix panic when parsing empty pgsql host (#28708) (#28709)Giteabot2024-01-062-1/+5
| | | | | | | | Backport #28708 by wxiaoguang Regression of #27723 Fix #28705 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Avoid cycle-redirecting user/login page (#28636) (#28658)wxiaoguang2023-12-301-2/+1
| | | | | Backport #28636 Fix #28231, and remove some unused code.
* Refactor CORS handler (#28587) (#28611)wxiaoguang2023-12-251-3/+1
| | | | | | | | | | | | | Backport #28587, the only conflict is the test file. The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098
* Add option to disable ambiguous unicode characters detection (#28454) (#28499)wxiaoguang2023-12-181-0/+5
| | | | | | | | Backport #28454 (the only conflict is caused by some comments) * Close #24483 * Close #28123 * Close #23682 * Close #23149
* Deprecate query string auth tokens (#28390) (#28430)Giteabot2023-12-121-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport #28390 by @jackHay22 ## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) Co-authored-by: Jack Hay <jack@allspice.io> Co-authored-by: delvh <dev.lh@web.de>
* Fix incorrect default value of `[attachment].MAX_SIZE` (#28373) (#28376)Giteabot2023-12-061-1/+1
| | | | | | | | | Backport #28373 by @capvor In the documents, the `[attachment] MAX_SIZE` default value should be 4. Reference the source code `modules/setting/attachment.go` line 29. Co-authored-by: capvor <capvor@sina.com>
* Use `filepath` instead of `path` to create SQLite3 database file (#28374) ↵Giteabot2023-12-061-2/+1
| | | | | | | (#28378) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Fix #28300
* Change default size of attachments and repo files (#28100) (#28106)Giteabot2023-11-172-2/+2
| | | | | | | | Backport #28100 by @lng2020 https://github.com/go-gitea/gitea/pull/27946 forgets to change them in code. Sorry about that. Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
* Fix incorrect pgsql conn builder behavior (#28085) (#28098)Giteabot2023-11-172-9/+11
| | | | | | | Backport #28085 by @wxiaoguang Fix #28083 and fix the tests Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* refactor postgres connection string building (#27723) (#27869)Giteabot2023-11-012-29/+44
| | | | | | | | | | | | Backport #27723 by @mpldr This patchset changes the connection string builder to use net.URL and the host/port parser to use the stdlib function for splitting host from port. It also adds a footnote about a potentially required portnumber for postgres UNIX sockets. Fixes: #24552 Co-authored-by: Moritz Poldrack <33086936+mpldr@users.noreply.github.com>
* Increase queue length (#27555) (#27562)Giteabot2023-10-101-1/+1
| | | | | | | | | | | | | | | Backport #27555 by @wolfogre It should be OK to increase the default queue length since the default type is "level". IMO, the old default length (100) is a little too small. See https://github.com/go-gitea/gitea/issues/27540#issuecomment-1754269491 IIRC, a larger length could lead to more memory usage only when the type is "channel," but it's an obscure case. Otherwise, it's just a limit (for "level" or "redis"). Co-authored-by: Jason Song <i@wolfogre.com>
* Fix `environment-to-ini` inherited key bug (#27543) (#27546)Giteabot2023-10-092-1/+28
| | | | | | | | | | | Backport #27543 by @wxiaoguang Fix #27541 The INI package has a quirk: by default, the keys are inherited. When maintaining the keys, the newly added sub key should not be affected by the parent key. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Refactor system setting (#27000) (#27452)Giteabot2023-10-053-0/+185
| | | | | | | | | | | | | | | | Backport #27000 by @wxiaoguang This PR reduces the complexity of the system setting system. It only needs one line to introduce a new option, and the option can be used anywhere out-of-box. It is still high-performant (and more performant) because the config values are cached in the config system. ![image](https://github.com/go-gitea/gitea/assets/2114189/f8cdd743-1145-41ab-9f8f-3996aa97d440) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Make Actions tasks/jobs timeouts configurable by the user (#27400) (#27402)Giteabot2023-10-031-0/+8
| | | | | | | | | | | | | | | | | | | | | Backport #27400 by @fantognazza With this PR we added the possibility to configure the Actions timeouts values for killing tasks/jobs. Particularly this enhancement is closely related to the `act_runner` configuration reported below: ``` # The timeout for a job to be finished. # Please note that the Gitea instance also has a timeout (3h by default) for the job. # So the job could be stopped by the Gitea instance if it's timeout is shorter than this. timeout: 3h ``` --- Setting the corresponding key in the INI configuration file, it is possible to let jobs run for more than 3 hours. Signed-off-by: Francesco Antognazza <francesco.antognazza@gmail.com>
* Actions are no longer experimental, so enable them by default (#27054)Lunny Xiao2023-09-151-1/+1
| | | | This PR makes the actions enabled by default, so people will find it easier to enable actions in repository setting.
* Use secure cookie for HTTPS sites (#26999)wxiaoguang2023-09-111-1/+1
| | | | | | | | | | | If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's default value should be true. And, if a user visits an "http" site with "https" AppURL, they won't be able to login, and they should have been warned. The only problem is that the "language" can't be set either in such case, while I think it is not a serious problem, and it could be fixed easily if needed. ![image](https://github.com/go-gitea/gitea/assets/2114189/7bc9a859-dcc1-467d-bc7c-1dd6a10389e3)
* Fix INI parsing for value with trailing slash (#26995)wxiaoguang2023-09-102-2/+20
| | | Fix #26977 (a temp fix)
* Add reverseproxy auth for API back with default disabled (#26703)Lunny Xiao2023-09-071-0/+2
| | | | | | | | | | | | | | | This feature was removed by #22219 to avoid possible CSRF attack. This PR takes reverseproxy auth for API back but with default disabled. To prevent possbile CSRF attack, the responsibility will be the reverseproxy but not Gitea itself. For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`, they should know what they are doing. --------- Co-authored-by: Giteabot <teabot@gitea.io>
* Artifacts retention and auto clean up (#26131)FuXiaoHei2023-09-061-4/+10
| | | | | | | | | | | | | | Currently, Artifact does not have an expiration and automatic cleanup mechanism, and this feature needs to be added. It contains the following key points: - [x] add global artifact retention days option in config file. Default value is 90 days. - [x] add cron task to clean up expired artifacts. It should run once a day. - [x] support custom retention period from `retention-days: 5` in `upload-artifact@v3`. - [x] artifacts link in actions view should be non-clickable text when expired.
* Fix some slice append usages (#26778)Chongyi Zheng2023-08-291-1/+1
| | | Co-authored-by: delvh <dev.lh@web.de>
* Expanded minimum RSA Keylength to 3072 (#26604)mainboarder2023-08-281-1/+1
| | | | | | | | | | | | | | | German Federal Office for Information Security requests in its technical guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits starting 2024, in the year 2023 3000bits as a recommendation. Gitea should request longer RSA Keys by default in favor of security and drop old clients which do not support longer keys. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9 - Page 19, Table 1.2 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Update minimum password length requirements (#25946)techknowlogick2023-08-211-1/+1
|
* Handle base64 decoding correctly to avoid panic (#26483)wxiaoguang2023-08-142-14/+11
| | | Fix the panic if the "base64 secret" is too long.
* Fix storage path logic especially for relative paths (#26441)Lunny Xiao2023-08-132-93/+294
| | | | | | | | | This PR rewrites the function `getStorage` and make it more clear. Include tests from #26435, thanks @earl-warren --------- Co-authored-by: Earl Warren <contact@earl-warren.org>
* Remove last newline from config file (#26468)wxiaoguang2023-08-122-0/+21
| | | | | | | | | When users put the secrets into a file (GITEA__sec__KEY__FILE), the newline sometimes is different to avoid (eg: echo/vim/...) So the last newline could be removed when reading, it makes the users easier to maintain the secret files. Co-authored-by: Giteabot <teabot@gitea.io>
* Pre-register OAuth2 applications for git credential helpers (#26291)Denys Konovalov2023-08-091-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | This PR is an extended implementation of #25189 and builds upon the proposal by @hickford in #25653, utilizing some ideas proposed internally by @wxiaoguang. Mainly, this PR consists of a mechanism to pre-register OAuth2 applications on startup, which can be enabled or disabled by modifying the `[oauth2].DEFAULT_APPLICATIONS` parameter in app.ini. The OAuth2 applications registered this way are being marked as "locked" and neither be deleted nor edited over UI to prevent confusing/unexpected behavior. Instead, they're being removed if no longer enabled in config. ![grafik](https://github.com/go-gitea/gitea/assets/47871822/81a78b1c-4b68-40a7-9e99-c272ebb8f62e) The implemented mechanism can also be used to pre-register other OAuth2 applications in the future, if wanted. Co-authored-by: hickford <mirth.hickford@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> --------- Co-authored-by: M Hickford <mirth.hickford@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix the wrong derive path (#26271)Lunny Xiao2023-08-042-17/+215
| | | | | | | | | | | | | This PR will fix #26264, caused by #23911. The package configuration derive is totally wrong when storage type is local in that PR. This PR fixed the inherit logic when storage type is local with some unit tests. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Clarify the logger's MODE config option (#26267)wxiaoguang2023-08-011-1/+1
| | | | | | | 1. Fix the wrong document (add the missing `MODE=`) 2. Add a more friendly log message to tell users to add `MODE=` in their config Co-authored-by: Giteabot <teabot@gitea.io>
* Add 'Show on a map' button to Location in profile, fix layout (#26214)Panagiotis "Ivory" Vasilopoulos2023-07-311-0/+2
| | | | | | | | | | | Not too important, but I think that it'd be a pretty neat touch. Also fixes some layout bugs introduced by a previous PR. --------- Co-authored-by: Gusted <postmaster@gusted.xyz> Co-authored-by: Caesar Schinas <caesar@caesarschinas.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix allowed user types setting problem (#26200)Lunny Xiao2023-07-282-6/+110
| | | Fix #25951
* Calculate MAX_WORKERS default value by CPU number (#26177)wxiaoguang2023-07-271-11/+18
| | | | | | To avoid consuming user's 100% CPU, limit the default value of MAX_WORKERS Fix #26063 (the CPU 100% problem mentioned in it)
* Display deprecated warning in admin panel pages as well as in the log file ↵Lunny Xiao2023-07-263-8/+38
| | | | | | | | | | | | | | | (#26094) This PR includes #26007 's changes but have a UI to prompt administrator about the deprecated settings as well as the log or console warning. Then users will have enough time to notice the problem and don't have surprise like before. <img width="1293" alt="图片" src="https://github.com/go-gitea/gitea/assets/81045/c33355f0-1ea7-4fb3-ad43-cd23cd15391d"> --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix loading `LFS_JWT_SECRET` from wrong section (#26109)Jason Song2023-07-251-1/+1
| | | | | | | | | | | Regression of #25408. `LFS_JWT_SECRET_URI` and `LFS_JWT_SECRET` are under the `server` section, not `lfs`. So each time gitea restarts, it resets `LFS_JWT_SECRET`. <img width="1378" alt="image" src="https://github.com/go-gitea/gitea/assets/9418365/527ec9b9-eea2-4334-a274-6d1471456edd">
* Avoid writing config file if not installed (#26107)wxiaoguang2023-07-251-1/+1
| | | | Just like others (oauth2 secret, internal token, etc), do not generate if no install lock
* Serve pre-defined files in "public", add "security.txt", add CORS header for ↵wxiaoguang2023-07-211-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ".well-known" (#25974) Replace #25892 Close #21942 Close #25464 Major changes: 1. Serve "robots.txt" and ".well-known/security.txt" in the "public" custom path * All files in "public/.well-known" can be served, just like "public/assets" 3. Add a test for ".well-known/security.txt" 4. Simplify the "FileHandlerFunc" logic, now the paths are consistent so the code can be simpler 5. Add CORS header for ".well-known" endpoints 6. Add logs to tell users they should move some of their legacy custom public files ``` 2023/07/19 13:00:37 cmd/web.go:178:serveInstalled() [E] Found legacy public asset "img" in CustomPath. Please move it to /work/gitea/custom/public/assets/img 2023/07/19 13:00:37 cmd/web.go:182:serveInstalled() [E] Found legacy public asset "robots.txt" in CustomPath. Please move it to /work/gitea/custom/public/robots.txt ``` This PR is not breaking. --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Giteabot <teabot@gitea.io>
* Fix env config parsing for "GITEA____APP_NAME" (#26001)wxiaoguang2023-07-202-1/+7
| | | | | | | Regression of #24832 Fix the bug and add a test for it Co-authored-by: Giteabot <teabot@gitea.io>
* Update path related documents (#25417)wxiaoguang2023-07-191-1/+1
| | | | | | | | | | | | Update WorkPath/WORK_PATH related documents, remove out-dated information. Remove "StaticRootPath" on the admin config display page, because few end user really need it, it only causes misconfiguration. ![image](https://github.com/go-gitea/gitea/assets/2114189/8095afa4-da76-436b-9e89-2a92c229c01d) Co-authored-by: Giteabot <teabot@gitea.io>
* Avoid creating directories when loading config (#25944)wxiaoguang2023-07-181-2/+4
| | | | | | | | | The "creating dir/file during load config" is a longstanding and complex problem. This PR only does a quick patch, it still needs more refactorings in the future. Fix #25938
* Add shutting down notice (#25920)KN4CK3R2023-07-171-1/+1
| | | | | | | Got the same problem as #25915 when updating an instance. The `log.Fatal` should have been marked as breaking in #23911. This PR adds a notice that the system is shutting down because of the deprecated setting.
* Make "install page" respect environment config (#25648)wxiaoguang2023-07-095-9/+37
| | | | | | | | | | | | | | | | | | | | | | | | | Replace #25580 Fix #19453 The problem was: when users set "GITEA__XXX__YYY" , the "install page" doesn't respect it. So, to make the result consistent and avoid surprising end users, now the "install page" also writes the environment variables to the config file. And, to make things clear, there are enough messages on the UI to tell users what will happen. There are some necessary/related changes to `environment-to-ini.go`: * The "--clear" flag is removed and it was incorrectly written there. The "clear" operation should be done if INSTALL_LOCK=true * The "--prefix" flag is removed because it's never used, never documented and it only causes inconsistent behavior. ![image](https://github.com/go-gitea/gitea/assets/2114189/12778ee4-3fb5-4664-a73a-41ebbd77cd5b)
* Replace `interface{}` with `any` (#25686)silverwind2023-07-042-3/+3
| | | | | Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
* Set SSH_AUTHORIZED_KEYS_BACKUP to false (#25412)techknowlogick2023-07-011-1/+1
| | | | | | | | | | | This prevents the disk from overflowing with auth keys file Fixes #17117 ## ⚠️ BREAKING This changes the default option for creating a backup of the authorized key file when an update is made to default to false.
* Restrict `[actions].DEFAULT_ACTIONS_URL` to only `github` or `self` (#25581)Jason Song2023-06-302-2/+125
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve #24789 ## :warning: BREAKING :warning: Before this, `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like `https://gitea.com` or `http://your-git-server,https://gitea.com`, and the default value was `https://gitea.com`. But now, `DEFAULT_ACTIONS_URL` supports only `github`(`https://github.com`) or `self`(the root url of current Gitea instance), and the default value is `github`. If it has configured with a URL, an error log will be displayed and it will fallback to `github`. Actually, what we really want to do is always make it `https://github.com`, however, this may not be acceptable for some instances of internal use, so there's extra support for `self`, but no more, even `https://gitea.com`. Please note that `uses: https://xxx/yyy/zzz` always works and it does exactly what it is supposed to do. Although it's breaking, I belive it should be backported to `v1.20` due to some security issues. Follow-up on the runner side: - https://gitea.com/gitea/act_runner/pulls/262 - https://gitea.com/gitea/act/pulls/70
* Do not prepare oauth2 config if it is not enabled, do not write config in ↵wxiaoguang2023-06-281-0/+4
| | | | | | | | | | some sub-commands (#25567) Ref: * https://github.com/go-gitea/gitea/issues/25377#issuecomment-1609757289 And some sub-commands like "generate" / "docs", they do not need to use the ini config
* Fix sub-command log level (#25537)wxiaoguang2023-06-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | More fix for #24981 * #24981 Close #22361 * #22361 There were many patches for Gitea's sub-commands to satisfy the facts: * Some sub-commands shouldn't output any log, otherwise the git protocol would be broken * Sometimes the users want to see "verbose" or "quiet" outputs That's a longstanding problem, and very fragile. This PR is only a quick patch for the problem. In the future, the sub-command system should be refactored to a clear solution. ---- Other changes: * Use `ReplaceAllWriters` to replace `RemoveAllWriters().AddWriters(writer)`, then it's an atomic operation. * Remove unnecessary `syncLevelInternal` calls, because `AddWriters/addWritersInternal` already calls it. Co-authored-by: Giteabot <teabot@gitea.io>
* Use InitWorkPathAndCfgProvider for environment-to-ini to avoid unnecessary ↵wxiaoguang2023-06-241-2/+6
| | | | | | | | | | | | | | | checks (#25480) Fix #25481 The `InitWorkPathAndCommonConfig` calls `LoadCommonSettings` which does many checks like "current user is root or not". Some commands like "environment-to-ini" shouldn't do such check, because it might be run with "root" user at the moment (eg: the docker's setup script) ps: in the future, the docker's setup script should be improved to avoid Gitea's command running with "root"
* Import additional secrets via file uri (#25408)techknowlogick2023-06-233-1/+5
|
* Remove "CHARSET" config option for MySQL, always use "utf8mb4" (#25413)wxiaoguang2023-06-211-19/+9
| | | | | | | | | | | | | In modern days, there is no reason to make users set "charset" anymore. Close #25378 ## :warning: BREAKING The key `[database].CHARSET` was removed completely as every newer (>10years) MySQL database supports `utf8mb4` already. There is a (deliberately) undocumented new fallback option if anyone still needs to use it, but we don't recommend using it as it simply causes problems.
* Refactor path & config system (#25330)wxiaoguang2023-06-216-168/+398
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # The problem There were many "path tricks": * By default, Gitea uses its program directory as its work path * Gitea tries to use the "work path" to guess its "custom path" and "custom conf (app.ini)" * Users might want to use other directories as work path * The non-default work path should be passed to Gitea by GITEA_WORK_DIR or "--work-path" * But some Gitea processes are started without these values * The "serv" process started by OpenSSH server * The CLI sub-commands started by site admin * The paths are guessed by SetCustomPathAndConf again and again * The default values of "work path / custom path / custom conf" can be changed when compiling # The solution * Use `InitWorkPathAndCommonConfig` to handle these path tricks, and use test code to cover its behaviors. * When Gitea's web server runs, write the WORK_PATH to "app.ini", this value must be the most correct one, because if this value is not right, users would find that the web UI doesn't work and then they should be able to fix it. * Then all other sub-commands can use the WORK_PATH in app.ini to initialize their paths. * By the way, when Gitea starts for git protocol, it shouldn't output any log, otherwise the git protocol gets broken and client blocks forever. The "work path" priority is: WORK_PATH in app.ini > cmd arg --work-path > env var GITEA_WORK_DIR > builtin default The "app.ini" searching order is: cmd arg --config > cmd arg "work path / custom path" > env var "work path / custom path" > builtin default ## ⚠️ BREAKING If your instance's "work path / custom path / custom conf" doesn't meet the requirements (eg: work path must be absolute), Gitea will report a fatal error and exit. You need to set these values according to the error log. ---- Close #24818 Close #24222 Close #21606 Close #21498 Close #25107 Close #24981 Maybe close #24503 Replace #23301 Replace #22754 And maybe more
* Avoid polluting config file when "save" (#25395)wxiaoguang2023-06-216-13/+85
| | | | | | | | | | | | | That's a longstanding INI package problem: the "MustXxx" calls change the option values, and the following "Save" will save a lot of garbage options into the user's config file. Ideally we should refactor the INI package to a clear solution, but it's a huge work. A clear workaround is what this PR does: when "Save", load a clear INI instance and save it. Partially fix #25377, the "install" page needs more fine tunes.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-02 11:54:48 +0000