Commit Graph

4296 Commits

Author SHA1 Message Date
Giteabot ec4fa231c7
use existing oauth grant for public client (#31015) (#31041)
Backport #31015 by @denyskon

Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.

Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-05-21 17:33:00 +00:00
Giteabot 33d4d32096
Move reverproxyauth before session so the header will not be ignored even if user has login (#27821) (#30947)
Backport #27821 by @lunny

When a user logout and then login another user, the reverseproxy auth
should be checked before session otherwise the old user is still login.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-05-12 10:26:01 +08:00
yp05327 30a593dfbb
Fix network error when open/close organization/individual projects and redirect to project page (#30387) (#30911)
Backport #30387
Fix #30901
2024-05-09 14:44:43 +08:00
Giteabot 1389fa8a99
Prevent automatic OAuth grants for public clients (#30790) (#30835)
Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-05-02 20:39:48 +02:00
Lunny Xiao d95408bd5d
Use maintained gziphandler (#30592) (#30638)
Replace #27894
Backport #30592

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-23 02:39:27 +00:00
Giteabot 79484e1cb7
Fix HEAD method for robots.txt (#30603) (#30604)
Backport #30603 by wxiaoguang

Fix #30601
2024-04-19 22:43:50 +08:00
wxiaoguang 667427b4b9
Fix project description rendering for org (#30587) (#30599)
Backport #30587

Manually tested with 1.21:



![image](https://github.com/go-gitea/gitea/assets/2114189/fbe9a2c9-0563-4d69-bcdb-8e5e41f288a1)
2024-04-19 13:28:18 +00:00
yp05327 a82bf022bf
Fix empty field login_name in API response JSON when creating user (#30511) (#30532)
Backport #30511
Fix ci error in #30515
2024-04-17 11:06:12 +02:00
Giteabot 68bd1dd89d
Fix rename branch 500 when the target branch is deleted but exist in database (#30430) (#30437)
Backport #30430 by @lunny

Fix #30428

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-04-12 23:09:16 +08:00
Zettat123 55990ebf92
Check the token's owner and repository when registering a runner (#30406) (#30412)
Backport #30406

Fix #30378
2024-04-11 11:29:53 +00:00
Lunny Xiao 6e3aaa9975
Performance optimization for git push (#30104) (#30354)
Agit returned result should be from `ProcReceive` hook but not
`PostReceive` hook. Then for all non-agit pull requests, it will not
check the pull requests for every pushing `refs/pull/%d/head`.

Backport #30104
2024-04-10 14:12:19 +08:00
Lunny Xiao 65d96725bb
Fix possible renderer security problem(#30136) (#30315)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-09 00:24:35 +02:00
wxiaoguang 2172b38d50
Escape paths for find file correctly (#30026) (#30031)
Backport #30026
2024-03-23 17:21:57 +01:00
Giteabot f91b4dd959
Fix bugs in rerunning jobs (#29955) (#29983)
Backport #29955 by @Zettat123

Fix #28761
Fix #27884
Fix #28093

## Changes

### Rerun all jobs
When rerun all jobs, status of the jobs with `needs` will be set to
`blocked` instead of `waiting`. Therefore, these jobs will not run until
the required jobs are completed.

### Rerun a single job
When a single job is rerun, its dependents should also be rerun, just
like GitHub does
(https://github.com/go-gitea/gitea/issues/28761#issuecomment-2008620820).
In this case, only the specified job will be set to `waiting`, its
dependents will be set to `blocked` to wait the job.

### Show warning if every job has `needs`
If every job in a workflow has `needs`, all jobs will be blocked and no
job can be run. So I add a warning message.

<img
src="https://github.com/go-gitea/gitea/assets/15528715/88f43511-2360-465d-be96-ee92b57ff67b"
width="480px" />

---------

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-22 03:57:10 +00:00
Lunny Xiao 6ef986d474
Performance improvements for pull request list page (#29900) (#29972)
This PR will avoid load pullrequest.Issue twice in pull request list
page. It will reduce x times database queries for those WIP pull
requests.

Partially fix #29585
Backport #29900
2024-03-22 09:58:04 +08:00
Lunny Xiao 3fd15aeff2
Add cache for dashbaord commit status (#29932)
backport #29444
2024-03-20 10:34:40 +00:00
Lunny Xiao 5f7b6b55a5
Only do counting when count_only=true for repo dashboard (#29884) (#29905)
Ref: #29878
Backport #29884

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-20 11:02:35 +08:00
Giteabot 408c92938b
Fix PR creation via api between branches of same repo with head field namespaced (#26986) (#29857)
Backport #26986 by @norohind

Fix #20175

Current implementation of API does not allow creating pull requests
between branches of the same
repo when you specify *namespace* (owner of the repo) in `head` field in
http request body.

---------

Co-authored-by: norohind <60548839+norohind@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-20 09:38:30 +08:00
wxiaoguang b9dd5dd471
Fix template error when comment review doesn't exist (#29888) (#29889)
Backport #29888
2024-03-19 15:00:01 +08:00
Giteabot 00ea9af8e1
Editor error message misleading due to re-used key. (#29859) (#29876)
Backport #29859 by @buckybytes

The error message:

`editor.file_changed_while_editing = The file contents have changed
since you started editing. <a target="_blank" rel="noopener noreferrer"
href="%s">Click here</a> to see them or <strong>Commit Changes
again</strong> to overwrite them.`

Is re-used in inappropriate contexts. The link in the key goes to a 404
when the key is used in a situation where the file contents have not
changed.

Added two new keys to differentiate commit id mismatch and push out of
date conditions.

Co-authored-by: buckybytes <158571971+buckybytes@users.noreply.github.com>
2024-03-18 14:45:43 +08:00
Lunny Xiao 85f31eb643
Fix codeowner detected diff base branch to mergebase (#29783) (#29807)
Fix #29763
Backport #29783 

This PR fixes 2 problems with CodeOwner in the pull request.
- Don't use the pull request base branch but merge-base as a diff base
to detect the code owner.
- CodeOwner detection in fork repositories will be disabled because
almost all the fork repositories will not change CODEOWNERS files but it
should not be used on fork repositories' pull requests.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-17 02:40:06 +01:00
Lunny Xiao 61db562a5f
Fix user router possbile panic (#29751) (#29786)
regression from #28023
backport #29751
2024-03-14 12:44:14 +08:00
sillyguodong 538efb9df7
Make runs-on support variable expression (#29468) (#29782)
backport #29468 

Close issue: https://gitea.com/gitea/act_runner/issues/445
Follow: https://gitea.com/gitea/act/pulls/91

Move `getSecretsOfTask` and `getVariablesOfTask` under models because of
circular dependency issues.
2024-03-14 10:19:01 +08:00
Lunny Xiao 8c31456a87
Use Get but not Post to get actions artifacts (#29734) (#29737)
backport #29734
2024-03-12 17:31:45 +01:00
Lunny Xiao a129c0c06c
Fix 500 when deleting account with incorrect password or unsupported login type (#29579) (#29656)
Fix #26210
Backport #29579

Co-authored-by: Jason Song <i@wolfogre.com>
2024-03-08 15:43:57 +01:00
Lunny Xiao 5667ef9aab
Add missing database transaction for new issue (#29490) (#29607)
When creating an issue, inserting issue, assign users and set project
should be in the same transaction.

Backport #29490
2024-03-05 16:37:55 +00:00
wxiaoguang 02df269d24
Make "/user/login" page redirect if the current user has signed in (#29583) (#29599)
Backport #29583
2024-03-05 21:03:45 +08:00
wxiaoguang 4ef7e496b8
Add a trailing slash to dashboard links (#29555) (#29573)
Backport #29555
2024-03-04 13:50:55 +08:00
Giteabot b84303ef6e
Fix 500 when pushing release to an empty repo (#29554) (#29564)
Backport #29554 by @lng2020

As title. 
The former code directly used `ctx.Repo.GitRepo`, causing 500.

22b4f0c09f/routers/api/v1/repo/release.go (L241)

Co-authored-by: Nanguan Lin <nanguanlin6@gmail.com>
2024-03-03 17:10:22 +00:00
wxiaoguang 2b059f493e
Only use supported sort order for "explore/users" page (#29430) (#29443)
Backport #29430

Thanks to inferenceus : some sort orders on the "explore/users" page
could list users by their lastlogintime/updatetime.

It leaks user's activity unintentionally. This PR makes that page only
use "supported" sort orders.

Removing the "sort orders" could also be a good solution, while IMO at
the moment keeping the "create time" and "name" orders is also fine, in
case some users would like to find a target user in the search result,
the "sort order" might help.
2024-03-03 02:28:45 +00:00
Giteabot 5ca2971ccb
Fix incorrect cookie path for AppSubURL (#29534) (#29552)
Backport #29534
Regression of #24107

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-03 08:54:33 +08:00
Giteabot 971eab18fa
Fix incorrect redirection when creating a PR fails (#29537) (#29543)
Backport #29537 by wxiaoguang

This is only a quick fix to make it easier to backport.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-02 20:01:19 +00:00
Giteabot 8723389028
Fix incorrect relative/absolute URL usages (#29531) (#29547)
Backport #29531 by wxiaoguang

Add two "HTMLURL" methods for PackageDescriptor. 
And rename "FullWebLink" to "VersionWebLink"

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-02 18:00:15 +00:00
Giteabot a86d9337e9
Fix issue & comment history bugs (#29525) (#29527)
Backport #29525 by @wxiaoguang

* Follow #17746: `HasIssueContentHistory` should use expr builder to
make sure zero value (0) be respected.
* Add "doer" check to make sure `canSoftDeleteContentHistory` only be
called by sign-in users.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-02 08:45:48 +08:00
Giteabot c293e34df0
Fix wrong test usage of `AppSubURL` (#29459) (#29488)
Backport #29459 by @KN4CK3R

The tests use an invalid `setting.AppSubURL`. The wrong behaviour
disturbs other PRs like #29222 and #29427.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-29 14:40:35 +08:00
Giteabot 2df38af752
Fix missed return (#29450) (#29453)
Backport #29450 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-02-27 23:33:03 +08:00
Giteabot 9456deb512
Not trigger all jobs any more, when re-running the first job (#29439) (#29441)
Backport #29439 by @sillyguodong

Previously, it will be treated as "re-run all jobs" when `jobIndex ==
0`. So when you click re-run button on the first job, it triggers all
the jobs actually.

Caused by #26535.

Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
2024-02-27 16:18:49 +08:00
Giteabot e75594f7a6
Do not double close reader (#29354) (#29370)
Backport #29354 by @KN4CK3R

Fixes #29346

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-24 12:08:06 +00:00
Lunny Xiao a1c0b3a02e
Display friendly error message (#29105) (#29363)
Backport #29105 

`ctx.Error` only displays the text but `ctx.ServerError` renders the
usual error page.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-24 11:01:18 +00:00
Giteabot 35db5a373b
Fix validity of the FROM email address not being checked (#29347) (#29360)
Backport #29347 by @carlosfelgueiras

Fixes #27188.
Introduces a check on the installation that tries to parse the FROM
address. If it fails, shows a new error message to the user.

Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-02-24 08:23:21 +00:00
Lunny Xiao 5043ad54c7
Fix project counter in organization/individual profile (#28068) (#29361)
Fix #28052
Backport #28068 
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558)

![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a)

![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d)

Co-authored-by: yp05327 <576951401@qq.com>
2024-02-24 07:58:43 +00:00
wxiaoguang 511298e452
Use general token signing secret (#29205) (#29325)
Backport #29205 (including #29172)

Use a clearly defined "signing secret" for token signing.
2024-02-22 17:07:41 +00:00
Zettat123 dcb9c38568
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140 

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075
2024-02-22 03:32:54 +01:00
Markus Amshove 78f41e4fc4
Disallow merge when required checked are missing (#29143) (#29268)
backport #29143

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-19 20:48:17 +00:00
Lunny Xiao e2eac7574f
Fix bug when the linked account was disactived and list the linked accounts (#29263)
The bug has been fixed on v1.22 but not backport to v1.21.
This original PR have many refactors so I don't think it's necessary to
backport all of them.

Fix #28667
2024-02-19 15:23:47 +00:00
Jimmy Praet 3604b7d8ad
Load outdated comments when (un)resolving conversation on PR timeline (#29203) (#29221)
Backport #29203

Relates to #28654, #29039 and #29050.

The "show outdated comments" flag should only apply to the file diff
view.
On the PR timeline, outdated comments are always shown. So they should
also be loaded when (un)resolving a conversation on the timeline page.
2024-02-18 06:58:26 +00:00
wxiaoguang dd8bc1d61d
Refactor issue template parsing and fix API endpoint (#29069) (#29140)
Backport #29069

The old code `GetTemplatesFromDefaultBranch(...) ([]*api.IssueTemplate,
map[string]error)` doesn't really follow Golang's habits, then the
second returned value might be misused. For example, the API function
`GetIssueTemplates` incorrectly checked the second returned value and
always responds 500 error.

This PR refactors GetTemplatesFromDefaultBranch to
ParseTemplatesFromDefaultBranch and clarifies its behavior, and fixes
the API endpoint bug, and adds some tests.

And by the way, add proper prefix `X-` for the header generated in
`checkDeprecatedAuthMethods`, because non-standard HTTP headers should
have `X-` prefix, and it is also consistent with the new code in
`GetIssueTemplates`
2024-02-14 01:32:31 +00:00
CEnnis91 1aaeec6da7
Fix swift packages not resolving (#29095) (#29102) 2024-02-08 18:26:54 +00:00
Giteabot c9b2aaed0e
Improve user experience for outdated comments (#29050) (#29086)
Backport #29050 by wxiaoguang

Try to improve #28949

1. Make `ctx.Data["ShowOutdatedComments"] = true` by default: it brings
consistent user experience, and sometimes the "outdated (source
changed)" comments are still valuable.
2. Show a friendly message if the comment won't show, then the end users
won't fell that "the comment disappears" (it is the special case when
`ShowOutdatedComments = false`)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-08 10:29:54 +08:00
Giteabot aadbbf4358
Do not render empty comments (#29039) (#29049)
Backport #29039 by wxiaoguang

Follow #28654

The `comments` might be empty, so the templates shouldn't (and couldn't)
use it to render. When there is no comment, the UI should also be
updated to empty, so returning an empty body is good enough.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-04 13:25:58 +00:00