aboutsummaryrefslogtreecommitdiffstats
path: root/routers/web
Commit message (Collapse)AuthorAgeFilesLines
* Use padded keyid (#22288)Gusted2023-01-021-3/+9
| | | - Followup for #22231 to follow the frontport.
* Use complete SHA to create and query commit status (#22244) (#22258)Jason Song2022-12-281-1/+1
| | | | | | | | | | | | | Backport #22244. Fix #13485. Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Fix sorting admin user list by last login (#22081) (#22106)aceArt-GmbH2022-12-131-0/+4
| | | | | Backport of #22081 Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fix permission check on issue/pull lock (#22114)Lunny Xiao2022-12-121-3/+2
| | | Fix #22110
* Fix setting HTTP headers after write (#21833) (#21874)KN4CK3R2022-11-201-2/+0
| | | | Backport #21833
* Set last login when activating account (#21731) (#21754)Jason Song2022-11-101-0/+7
| | | | | | | | | | Backport #21731. Fix #21698. Set the last login time to the current time when activating the user successfully. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Added check for disabled Packages (#21540) (#21614)Xinyu Zhou2022-10-271-0/+2
| | | | | | | | Backport #21540 At the moment, If admin disable Packages, still show the Packages on the admin dashboard. This patch added a check to hide the Packages entry.
* Suppress `ExternalLoginUserNotExist` error (#21504) (#21572)KN4CK3R2022-10-262-2/+6
| | | | | Backport of #21504 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Display total commit count in hook message (#21400) (#21481)KN4CK3R2022-10-171-9/+10
| | | | | | Backport of #21400 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Return 404 when user is not found on avatar (#21476) (#21477)Gusted2022-10-171-0/+4
| | | | | - Backport #21476 - Instead of returning a 500 Internal Server when the user wasn't found, return 404 Not found.
* Parse OAuth Authorization header when request omits client secret (#21351) ↵M Hickford2022-10-081-2/+21
| | | | | | | | | | | | | | | | | | | | | | (#21374) Backport #21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
* Tag list should include draft releases with existing tags (#21263) (#21365)Jason Song2022-10-071-3/+11
| | | | | | | Backport #21263. Before, a tag for a draft release disappeared in the tag list, fix #21262. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Use absolute links in feeds (#21229) (#21265)KN4CK3R2022-09-261-31/+31
| | | | | | Backport of #21229 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Fix CSV diff for added/deleted files (#21189) (#21193)wxiaoguang2022-09-171-18/+18
| | | | | | | Backport #21189 Fixes #21184 Regression of #19552 Instead of using `GetBlobByPath`, use the already existing instances.
* Fix pagination limit parameter problem (#21111)Tyrone Yeh2022-09-081-1/+1
| | | | | backport #21109 Co-authored-by: 6543 <6543@obermui.de>
* Fix hard-coded timeout and error panic in API archive download endpoint ↵zeripath2022-09-061-49/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (#20925) (#21051) Backport #20925 This commit updates the `GET /api/v1/repos/{owner}/{repo}/archive/{archive}` endpoint which prior to this PR had a couple of issues. 1. The endpoint had a hard-coded 20s timeout for the archiver to complete after which a 500 (Internal Server Error) was returned to client. For a scripted API client there was no clear way of telling that the operation timed out and that it should retry. 2. Whenever the timeout _did occur_, the code used to panic. This was caused by the API endpoint "delegating" to the same call path as the web, which uses a slightly different way of reporting errors (HTML rather than JSON for example). More specifically, `api/v1/repo/file.go#GetArchive` just called through to `web/repo/repo.go#Download`, which expects the `Context` to have a `Render` field set, but which is `nil` for API calls. Hence, a `nil` pointer error. The code addresses (1) by dropping the hard-coded timeout. Instead, any timeout/cancelation on the incoming `Context` is used. The code addresses (2) by updating the API endpoint to use a separate call path for the API-triggered archive download. This avoids producing HTML-errors on errors (it now produces JSON errors). Signed-off-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Signed-off-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Redirect if user does not exist on admin pages (#20981) (#21059)zeripath2022-09-041-1/+5
| | | | | | | | Backport #20981 When on /admin/users/ endpoints if the user is no longer in the DB, redirect instead of causing a http 500. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fill the specified ref in webhook test payload (#20961) (#21055)Jason Song2022-09-041-2/+4
| | | | | | | Backport #20961 The webhook payload should use the right ref when it‘s specified in the testing request. The compare URL should not be empty, a URL like `compare/A...A` seems useless in most cases but is helpful when testing.
* Fix mirror address setting not working (#20850) (#20904)zeripath2022-08-231-2/+5
| | | | | | | | Backport #20850 This patch fixes the issue that the mirror address field is ignored from the repo setting form. Co-authored-by: Gary Wang <wzc782970009@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Remove calls to load Mirrors in user.Dashboard (#20855) (#20897)zeripath2022-08-221-33/+0
| | | | | | | | | | | | | | | | | Backport #20855 Whilst looking at #20840 I noticed that the Mirrors data doesn't appear to be being used therefore we can remove this and in fact none of the related code is used elsewhere so it can also be removed. Related #20840 Related #20804 Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Fix SQL Query for `SearchTeam` (#20844) (#20872)Gusted2022-08-211-1/+1
| | | | | | | | Backport #20844 Currently the function takes in the UserID option, but isn't being used within the SQL query. This patch fixes that by checking that only teams are being returned that the user belongs to. Fix #20829
* Fix owners cannot create organization repos bug (#20841) (#20854)zeripath2022-08-181-1/+4
| | | | | | | | | | | | | | | Backport #20841 * Fix owners cannot create organization repos bug * Fix api * Update routers/api/v1/org/team.go Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
* Use the total issue count for UI (#20785) (#20827)parnic2022-08-171-2/+6
| | | | | | | | | Backport #20785 This fixes a problem where the "All" line item on the Issues or Pull Requests page was only showing the count of the selected repos instead of the total of all issues/prs in all repos. The "total number of shown issues" number is now stashed in a different context variable in case it wants to be used by the frontend later. It's currently not being used. Fixes #20574
* Add disable download source configuration (#20548) (#20579)Lunny Xiao2022-08-121-1/+8
| | | | | | | | | | | | | | * Add disable download source configuration (#20548) Add configuration to enable/disable download source from UI. Co-authored-by: zeripath <art27@cantab.net> * Fix BaseVars not used in renderering * Fix disabled open in vscode menu when disabling download source from UI Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
* Use request timeout for git service rpc (#20689) (#20693)parnic2022-08-071-5/+6
| | | | | | | This enables git.Command's Run to optionally use the given context directly so its deadline will be respected. Otherwise, it falls back to the previous behavior of using the supplied timeout or a default timeout value of 360 seconds. repo's serviceRPC() calls now use the context's deadline (which is unset/unlimited) instead of the default 6-minute timeout. This means that large repo clones will no longer arbitrarily time out on the upload-pack step, and pushes can take longer than 6 minutes on the receive-pack step. Fixes #20680
* Add default commit messages to PR for squash merge (#20618) (#20645)wxiaoguang2022-08-041-0/+2
| | | | | | | | | Keep the same behavior as 1.16 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: Tyrone Yeh <tyrone_yeh@draytek.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
* WebAuthn CredentialID field needs to be increased in size (#20530) (#20555)65432022-07-301-2/+1
| | | | | | | | | | | | | | WebAuthn have updated their specification to set the maximum size of the CredentialID to 1023 bytes. This is somewhat larger than our current size and therefore we need to migrate. The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string to the bytes field before another migration drops the old CredentialID field. Another migration renames this field back. Fix #20457 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
* Add Docker /v2/_catalog endpoint (#20469) (#20556)65432022-07-302-0/+13
| | | | | | | | | | | | | | * Added properties for packages. * Fixed authenticate header format. * Added _catalog endpoint. * Check owner visibility. * Extracted condition. * Added test for _catalog. Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Add missing Tabs on organisation/package view (#20539)65432022-07-291-0/+16
| | | hotfix #20106
* Fix possible panic when repository is empty (#20509) (#20526)65432022-07-281-4/+8
| | | Backport #20509
* Show hint to link package to repo when viewing empty repo package list ↵Norwin2022-07-271-0/+4
| | | | (#20504) (#20507)
* Add repository condition for issue count (#20496)Tyrone Yeh2022-07-271-0/+1
|
* fix enabling repo packages when projects are off (#20486) (#20488)Norwin2022-07-261-1/+1
|
* Add Cache-Control header to html and api responses, add no-transform ↵silverwind2022-07-231-0/+1
| | | | | | | | | | | | (#20432) (#20459) `no-transform` allegedly disables CloudFlare auto-minify and we did not set caching headers on html or api requests, which seems good to have regardless. Transformation is still allowed for asset requests. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Andrew Thornton <art27@cantab.net>
* Dismiss prior pull reviews if done via web in review dismiss (#20197) (#20407)65432022-07-191-1/+1
|
* Fix commit status icon when in subdirectory (#20285) (#20385)silverwind2022-07-161-7/+7
| | | | | When viewing a subdirectory and the latest commit to that directory in the table, the commit status icon incorrectly showed the status of the HEAD commit instead of the latest for that directory.
* Hide notify mail setting ui if not enabled (#20138) (#20336)Lunny Xiao2022-07-131-0/+1
| | | Co-authored-by: 6543 <6543@obermui.de>
* Only show Followers that current user can access (#20220) (#20252)zeripath2022-07-061-4/+4
| | | | | | | | | Backport #20220 Users who are following or being followed by a user should only be displayed if the viewing user can see them. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Check if project has the same repository id with issue when assign project ↵Lunny Xiao2022-07-014-5/+29
| | | | | | | | | | | | | | | | | | | | | | | | | to issue (#20133) (#20188) * Check if project has the same repository id with issue when assign project to issue * Check if issue's repository id match project's repository id * Add more permission checking * Remove invalid argument * Fix errors * Add generic check * Remove duplicated check * Return error + add check for new issues * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: 6543 <6543@obermui.de>
* Fix wrong login requirement routers (#20101) (#20104)Lunny Xiao2022-06-241-1/+1
|
* Catch the error before the response is processed by goth. (#20000) (#20102)SteveTheEngineer2022-06-241-12/+20
| | | | | | | The code introduced by #18185 gets the error from response after it was processed by goth. That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a `oauth2: cannot fetch token: 400 Bad Request` error from goth. It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to [RFC 6749, Section 4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed. This fixes it by handling the error before the request is passed to goth.
* Dashboard feed respect setting.UI.FeedPagingNum again (#20094) (#20099)Jimmy Praet2022-06-232-0/+2
| | | Fixes #20080
* Release page show all tags in compare dropdown (#20070) (#20072)65432022-06-211-1/+8
| | | | | | | Backport #20070 Just get all tags when creating the compare dropdown. Fix #19936
* Fix delete pull head ref for DeleteIssue (#20032) (#20034)a10121127962022-06-191-0/+5
| | | | | | | | | Backport #20032 In DeleteIssue the PR git head reference should be `/refs/pull/xxx/head` not `/refs/pull/xxx` Fix #19655 Signed-off-by: a1012112796 <1012112796@qq.com>
* Stop spurious APIFormat stopwatches logs (#20008)zeripath2022-06-171-1/+3
| | | | | | | | | If there are dangling stopwatches with missing issues there will be repeated logging of Unable to APIFormat stopwatches. These are unhelpful and instead we should only log if the error is not an issue not exist error. And we should also prevent an error on missing issue in GetActiveStopwatch too Signed-off-by: Andrew Thornton <art27@cantab.net>
* Fix Readme render bug (#19992)Lunny Xiao2022-06-171-1/+1
| | | | | Fix #19988 Co-authored-by: zeripath <art27@cantab.net>
* Use DisplayName() instead of FullName in Oauth provider (#19991)oGi4i2022-06-162-1/+20
| | | | | Use DisplayName() in Oauth as this provides a fallback if FullName is not set. Closes #19382
* fix permission check for delete tag (#19985)a10121127962022-06-162-1/+11
| | | | | | | fix #19970 by the way, fix some error response about protected tags. Signed-off-by: a1012112796 <1012112796@qq.com>
* Allow render HTML with css/js external links (#19017)Lunny Xiao2022-06-164-18/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh <dev.lh@web.de> * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* In code search, get code unit accessible repos in one (main) query (#19764)Hugo Hoitink2022-06-161-87/+57
| | | | | | | | | | * When non-admin users use code search, get code unit accessible repos in one main query * Modified some comments to match the changes * Removed unnecessary check for Access Mode in Collaboration table Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lauris BH <lauris@nix.lv>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-15 15:34:56 +0000