aboutsummaryrefslogtreecommitdiffstats
path: root/routers
Commit message (Collapse)AuthorAgeFilesLines
* use existing oauth grant for public client (#31015) (#31041)release/v1.21Giteabot2024-05-211-2/+17
| | | | | | | | | | | Backport #31015 by @denyskon Do not try to create a new authorization grant when one exists already, thus preventing a DB-related authorization issue. Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426 Co-authored-by: Denys Konovalov <kontakt@denyskon.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Move reverproxyauth before session so the header will not be ignored even if ↵Giteabot2024-05-121-6/+6
| | | | | | | | | | user has login (#27821) (#30947) Backport #27821 by @lunny When a user logout and then login another user, the reverseproxy auth should be checked before session otherwise the old user is still login. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Fix network error when open/close organization/individual projects and ↵yp053272024-05-092-11/+6
| | | | | | redirect to project page (#30387) (#30911) Backport #30387 Fix #30901
* Prevent automatic OAuth grants for public clients (#30790) (#30835)Giteabot2024-05-021-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport #30790 by archer-321 This commit forces the resource owner (user) to always approve OAuth 2.0 authorization requests if the client is public (e.g. native applications). As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2), > The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator. With the implementation prior to this patch, attackers with access to the redirect URI (e.g., the loopback interface for `git-credential-oauth`) can get access to the user account without any user interaction if they can redirect the user to the `/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on Linux). Fixes #25061. Co-authored-by: Archer <archer@beezig.eu> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Use maintained gziphandler (#30592) (#30638)Lunny Xiao2024-04-231-4/+6
| | | | | | | Replace #27894 Backport #30592 Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix HEAD method for robots.txt (#30603) (#30604)Giteabot2024-04-191-1/+1
| | | | | Backport #30603 by wxiaoguang Fix #30601
* Fix project description rendering for org (#30587) (#30599)wxiaoguang2024-04-191-2/+3
| | | | | | | | | Backport #30587 Manually tested with 1.21: ![image](https://github.com/go-gitea/gitea/assets/2114189/fbe9a2c9-0563-4d69-bcdb-8e5e41f288a1)
* Fix empty field login_name in API response JSON when creating user (#30511) ↵yp053272024-04-171-4/+4
| | | | | | (#30532) Backport #30511 Fix ci error in #30515
* Fix rename branch 500 when the target branch is deleted but exist in ↵Giteabot2024-04-121-1/+7
| | | | | | | | | | | database (#30430) (#30437) Backport #30430 by @lunny Fix #30428 --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Check the token's owner and repository when registering a runner (#30406) ↵Zettat1232024-04-111-0/+14
| | | | | | | (#30412) Backport #30406 Fix #30378
* Performance optimization for git push (#30104) (#30354)Lunny Xiao2024-04-101-41/+44
| | | | | | | Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104
* Fix possible renderer security problem(#30136) (#30315)Lunny Xiao2024-04-091-8/+7
| | | Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Escape paths for find file correctly (#30026) (#30031)wxiaoguang2024-03-231-2/+3
| | | Backport #30026
* Fix bugs in rerunning jobs (#29955) (#29983)Giteabot2024-03-222-6/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport #29955 by @Zettat123 Fix #28761 Fix #27884 Fix #28093 ## Changes ### Rerun all jobs When rerun all jobs, status of the jobs with `needs` will be set to `blocked` instead of `waiting`. Therefore, these jobs will not run until the required jobs are completed. ### Rerun a single job When a single job is rerun, its dependents should also be rerun, just like GitHub does (https://github.com/go-gitea/gitea/issues/28761#issuecomment-2008620820). In this case, only the specified job will be set to `waiting`, its dependents will be set to `blocked` to wait the job. ### Show warning if every job has `needs` If every job in a workflow has `needs`, all jobs will be blocked and no job can be run. So I add a warning message. <img src="https://github.com/go-gitea/gitea/assets/15528715/88f43511-2360-465d-be96-ee92b57ff67b" width="480px" /> --------- Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Performance improvements for pull request list page (#29900) (#29972)Lunny Xiao2024-03-223-13/+14
| | | | | | | | | This PR will avoid load pullrequest.Issue twice in pull request list page. It will reduce x times database queries for those WIP pull requests. Partially fix #29585 Backport #29900
* Add cache for dashbaord commit status (#29932)Lunny Xiao2024-03-202-22/+10
| | | backport #29444
* Only do counting when count_only=true for repo dashboard (#29884) (#29905)Lunny Xiao2024-03-201-10/+14
| | | | | | Ref: #29878 Backport #29884 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix PR creation via api between branches of same repo with head field ↵Giteabot2024-03-201-0/+2
| | | | | | | | | | | | | | | | | namespaced (#26986) (#29857) Backport #26986 by @norohind Fix #20175 Current implementation of API does not allow creating pull requests between branches of the same repo when you specify *namespace* (owner of the repo) in `head` field in http request body. --------- Co-authored-by: norohind <60548839+norohind@users.noreply.github.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Fix template error when comment review doesn't exist (#29888) (#29889)wxiaoguang2024-03-191-0/+17
| | | Backport #29888
* Editor error message misleading due to re-used key. (#29859) (#29876)Giteabot2024-03-181-2/+2
| | | | | | | | | | | | | | | | | | | Backport #29859 by @buckybytes The error message: `editor.file_changed_while_editing = The file contents have changed since you started editing. <a target="_blank" rel="noopener noreferrer" href="%s">Click here</a> to see them or <strong>Commit Changes again</strong> to overwrite them.` Is re-used in inappropriate contexts. The link in the key goes to a 404 when the key is used in a situation where the file contents have not changed. Added two new keys to differentiate commit id mismatch and push out of date conditions. Co-authored-by: buckybytes <158571971+buckybytes@users.noreply.github.com>
* Fix codeowner detected diff base branch to mergebase (#29783) (#29807)Lunny Xiao2024-03-172-2/+2
| | | | | | | | | | | | | | | Fix #29763 Backport #29783 This PR fixes 2 problems with CodeOwner in the pull request. - Don't use the pull request base branch but merge-base as a diff base to detect the code owner. - CodeOwner detection in fork repositories will be disabled because almost all the fork repositories will not change CODEOWNERS files but it should not be used on fork repositories' pull requests. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix user router possbile panic (#29751) (#29786)Lunny Xiao2024-03-141-2/+5
| | | | regression from #28023 backport #29751
* Make runs-on support variable expression (#29468) (#29782)sillyguodong2024-03-141-62/+12
| | | | | | | | | backport #29468 Close issue: https://gitea.com/gitea/act_runner/issues/445 Follow: https://gitea.com/gitea/act/pulls/91 Move `getSecretsOfTask` and `getVariablesOfTask` under models because of circular dependency issues.
* Use Get but not Post to get actions artifacts (#29734) (#29737)Lunny Xiao2024-03-121-1/+1
| | | backport #29734
* Fix 500 when deleting account with incorrect password or unsupported login ↵Lunny Xiao2024-03-081-2/+17
| | | | | | | | type (#29579) (#29656) Fix #26210 Backport #29579 Co-authored-by: Jason Song <i@wolfogre.com>
* Add missing database transaction for new issue (#29490) (#29607)Lunny Xiao2024-03-055-17/+13
| | | | | | When creating an issue, inserting issue, assign users and set project should be in the same transaction. Backport #29490
* Make "/user/login" page redirect if the current user has signed in (#29583) ↵wxiaoguang2024-03-053-11/+63
| | | | | (#29599) Backport #29583
* Add a trailing slash to dashboard links (#29555) (#29573)wxiaoguang2024-03-041-0/+17
| | | Backport #29555
* Fix 500 when pushing release to an empty repo (#29554) (#29564)Giteabot2024-03-031-0/+5
| | | | | | | | | | Backport #29554 by @lng2020 As title. The former code directly used `ctx.Repo.GitRepo`, causing 500. https://github.com/go-gitea/gitea/blob/22b4f0c09f1de5e581929bd10f39833d30d2c482/routers/api/v1/repo/release.go#L241 Co-authored-by: Nanguan Lin <nanguanlin6@gmail.com>
* Only use supported sort order for "explore/users" page (#29430) (#29443)wxiaoguang2024-03-032-7/+35
| | | | | | | | | | | | | | Backport #29430 Thanks to inferenceus : some sort orders on the "explore/users" page could list users by their lastlogintime/updatetime. It leaks user's activity unintentionally. This PR makes that page only use "supported" sort orders. Removing the "sort orders" could also be a good solution, while IMO at the moment keeping the "create time" and "name" orders is also fine, in case some users would like to find a target user in the search result, the "sort order" might help.
* Fix incorrect cookie path for AppSubURL (#29534) (#29552)Giteabot2024-03-031-0/+1
| | | | | | Backport #29534 Regression of #24107 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix incorrect redirection when creating a PR fails (#29537) (#29543)Giteabot2024-03-021-1/+1
| | | | | | | Backport #29537 by wxiaoguang This is only a quick fix to make it easier to backport. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix incorrect relative/absolute URL usages (#29531) (#29547)Giteabot2024-03-022-2/+3
| | | | | | | | Backport #29531 by wxiaoguang Add two "HTMLURL" methods for PackageDescriptor. And rename "FullWebLink" to "VersionWebLink" Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix issue & comment history bugs (#29525) (#29527)Giteabot2024-03-021-1/+5
| | | | | | | | | | Backport #29525 by @wxiaoguang * Follow #17746: `HasIssueContentHistory` should use expr builder to make sure zero value (0) be respected. * Add "doer" check to make sure `canSoftDeleteContentHistory` only be called by sign-in users. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix wrong test usage of `AppSubURL` (#29459) (#29488)Giteabot2024-02-291-9/+9
| | | | | | | | Backport #29459 by @KN4CK3R The tests use an invalid `setting.AppSubURL`. The wrong behaviour disturbs other PRs like #29222 and #29427. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fix missed return (#29450) (#29453)Giteabot2024-02-271-0/+1
| | | | | Backport #29450 by @lunny Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Not trigger all jobs any more, when re-running the first job (#29439) (#29441)Giteabot2024-02-271-3/+8
| | | | | | | | | | | Backport #29439 by @sillyguodong Previously, it will be treated as "re-run all jobs" when `jobIndex == 0`. So when you click re-run button on the first job, it triggers all the jobs actually. Caused by #26535. Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
* Do not double close reader (#29354) (#29370)Giteabot2024-02-241-3/+0
| | | | | | | | Backport #29354 by @KN4CK3R Fixes #29346 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Display friendly error message (#29105) (#29363)Lunny Xiao2024-02-241-7/+7
| | | | | | | | Backport #29105 `ctx.Error` only displays the text but `ctx.ServerError` renders the usual error page. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fix validity of the FROM email address not being checked (#29347) (#29360)Giteabot2024-02-241-0/+6
| | | | | | | | | | Backport #29347 by @carlosfelgueiras Fixes #27188. Introduces a check on the installation that tries to parse the FROM address. If it fails, shows a new error message to the user. Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt> Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fix project counter in organization/individual profile (#28068) (#29361)Lunny Xiao2024-02-241-0/+17
| | | | | | | | | | | | | | | | | Fix #28052 Backport #28068 Before: ![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558) ![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c) After: ![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a) ![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d) Co-authored-by: yp05327 <576951401@qq.com>
* Use general token signing secret (#29205) (#29325)wxiaoguang2024-02-221-1/+1
| | | | | Backport #29205 (including #29172) Use a clearly defined "signing secret" for token signing.
* Fix error display when merging PRs (#29288) (#29309)Zettat1232024-02-221-4/+4
| | | | | | | | | Backport #29288 Partially fix #29071, regression of Modernize merge button #28140 Fix some missing `Redirect` -> `JSONRedirect`. Thanks @yp05327 for the help in https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075
* Disallow merge when required checked are missing (#29143) (#29268)Markus Amshove2024-02-191-0/+30
| | | | | | backport #29143 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix bug when the linked account was disactived and list the linked accounts ↵Lunny Xiao2024-02-192-5/+5
| | | | | | | | | (#29263) The bug has been fixed on v1.22 but not backport to v1.21. This original PR have many refactors so I don't think it's necessary to backport all of them. Fix #28667
* Load outdated comments when (un)resolving conversation on PR timeline ↵Jimmy Praet2024-02-182-3/+4
| | | | | | | | | | | | (#29203) (#29221) Backport #29203 Relates to #28654, #29039 and #29050. The "show outdated comments" flag should only apply to the file diff view. On the PR timeline, outdated comments are always shown. So they should also be loaded when (un)resolving a conversation on the timeline page.
* Refactor issue template parsing and fix API endpoint (#29069) (#29140)wxiaoguang2024-02-144-19/+17
| | | | | | | | | | | | | | | | | | Backport #29069 The old code `GetTemplatesFromDefaultBranch(...) ([]*api.IssueTemplate, map[string]error)` doesn't really follow Golang's habits, then the second returned value might be misused. For example, the API function `GetIssueTemplates` incorrectly checked the second returned value and always responds 500 error. This PR refactors GetTemplatesFromDefaultBranch to ParseTemplatesFromDefaultBranch and clarifies its behavior, and fixes the API endpoint bug, and adds some tests. And by the way, add proper prefix `X-` for the header generated in `checkDeprecatedAuthMethods`, because non-standard HTTP headers should have `X-` prefix, and it is also consistent with the new code in `GetIssueTemplates`
* Fix swift packages not resolving (#29095) (#29102)CEnnis912024-02-081-1/+1
|
* Improve user experience for outdated comments (#29050) (#29086)Giteabot2024-02-083-15/+84
| | | | | | | | | | | | | | Backport #29050 by wxiaoguang Try to improve #28949 1. Make `ctx.Data["ShowOutdatedComments"] = true` by default: it brings consistent user experience, and sometimes the "outdated (source changed)" comments are still valuable. 2. Show a friendly message if the comment won't show, then the end users won't fell that "the comment disappears" (it is the special case when `ShowOutdatedComments = false`) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Do not render empty comments (#29039) (#29049)Giteabot2024-02-041-1/+10
| | | | | | | | | | | Backport #29039 by wxiaoguang Follow #28654 The `comments` might be empty, so the templates shouldn't (and couldn't) use it to render. When there is no comment, the UI should also be updated to empty, so returning an empty body is good enough. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-15 16:10:42 +0000