Commit Graph

4596 Commits

Author SHA1 Message Date
Lunny Xiao cf2d332443
Refactor find forks and fix possible bugs that weak permissions check (#32528) (#32547)
Backport #32528

- Move models/GetForks to services/FindForks
- Add doer as a parameter of FindForks to check permissions
- Slight performance optimization for get forks API with batch loading
of repository units
- Add tests for forking repository to organizations

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-11-19 04:08:32 +00:00
Lunny Xiao 673fee427e
Refactor push mirror find and add check for updating push mirror (#32539) (#32549)
backport #32539

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-11-18 23:55:27 +08:00
Giteabot b6eef34874
Fix artifact v4 upload above 8MB (#31664) (#32523) 2024-11-16 09:15:33 -08:00
Giteabot 257ce61023
Fix oauth2 error handle not return immediately (#32514) (#32516)
Backport #32514 by lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-11-15 11:27:04 +08:00
wxiaoguang ef339713c2
Refactor internal routers (partial backport, auth token const time comparing) (#32473) (#32479)
Partially backport #32473. LFS related changes are not in 1.22, so skip
them.

1. Ignore non-existing repos during migrations
2. Improve ReadBatchLine's comment
3. Use `X-Gitea-Internal-Auth` header for internal API calls and make
the comparing constant time (it wasn't a serous problem because in a
real world it's nearly impossible to timing-attack the token, but indeed
security related and good to fix and backport)
4. Fix route mock nil check
2024-11-13 10:26:37 +08:00
Zettat123 898f852d03
Fix `missing signature key` error when pulling Docker images with `SERVE_DIRECT` enabled (#32365) (#32397)
Backport #32365

Fix #28121

I did some tests and found that the `missing signature key` error is
caused by an incorrect `Content-Type` header. Gitea correctly sets the
`Content-Type` header when serving files.


348d1d0f32/routers/api/packages/container/container.go (L712-L717)
However, when `SERVE_DIRECT` is enabled, the `Content-Type` header may
be set to an incorrect value by the storage service. To fix this issue,
we can use query parameters to override response header values.

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html <img
width="600px"

src="https://github.com/user-attachments/assets/f2ff90f0-f1df-46f9-9680-b8120222c555"
/>

In this PR, I introduced a new parameter to the `URL` method to support
additional parameters.

```
URL(path, name string, reqParams url.Values) (*url.URL, error)
```
2024-11-01 03:53:59 +00:00
6543 9d62d7a443
Respect UI.ExploreDefaultSort setting again (#32357) (#32385)
Backport #32357

fix regression of https://github.com/go-gitea/gitea/pull/29430

---
*Sponsored by Kithara Software GmbH*
2024-10-31 13:49:09 +08:00
Lunny Xiao bf53ab26fa
Fix disable 2fa bug (#32320) (#32330)
Backport #32320
2024-10-25 17:54:56 +08:00
Zettat123 0d11ba93dd
Fix the permission check for user search API and limit the number of returned users for `/user/search` (#32310)
Partially backport #32288

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-10-23 04:56:13 +00:00
6543 b6f8372d7d
API: enhance SearchIssues swagger docs (#32208) (#32298)
Backport  #32208

This will result in better api clients generated out of the openapi docs for SearchIssues

---
*Sponsored by Kithara Software GmbH*
2024-10-21 08:32:34 +08:00
wxiaoguang db7349bc0d
Make `owner/repo/pulls` handlers use "PR reader" permission (#32254) (#32265)
Backport #32254 (no conflict)
2024-10-15 22:32:54 +08:00
Lunny Xiao 56051d9b3b
Fix bug when a token is given public only (#32204) (#32218)
Backport #32204
2024-10-09 02:16:37 +00:00
Lunny Xiao 2e3a191097
Fix javascript error when an anonymous user visiting migration page (#32144) (#32179)
backport #32144

This PR fixes javascript errors when an anonymous user visits the
migration page.
It also makes task view checking more restrictive.

The router moved from `/user/task/{id}/status` to
`/username/reponame/-/migrate/status` because it's a migrate status.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-10-04 17:58:04 +00:00
Giteabot 9fc3915e04
Fix the logic of finding the latest pull review commit ID (#32139) (#32165)
Backport #32139 by @Zettat123

Fix #31423

Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-10-01 13:10:03 +09:00
Zettat123 737c947287
Fix bug in getting merged pull request by commit (#32079) (#32117)
Backport #32079

Fix #32027
2024-09-25 00:12:02 +08:00
Giteabot 0f834f052b
Allow set branch protection in an empty repository (#32095) (#32119)
Backport #32095 by @lunny

Resolve #32093

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-09-24 11:42:52 +09:00
Giteabot d5d5fb1925
Fix Bug in Issue/pulls list (#32081) (#32115) 2024-09-24 01:26:10 +00:00
Giteabot 1f8cbbab3d
Fix rename branch permission bug (#32066) (#32108)
Backport #32066 by @lunny

The previous implementation requires admin permission to rename branches
which should be write permission.

Fix #31993

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-09-22 19:43:13 +00:00
Giteabot af0cab23ea
Fix wrong last modify time (#32102) (#32104)
Backport #32102 by @lunny

Fix #31930 and more places which use `http.TimeFormat` wrongly.
`http.TimeFormat` requires a UTC time. refer to
https://pkg.go.dev/net/http#TimeFormat

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-09-22 19:12:57 +00:00
Giteabot 919b82461a
Fix incorrect `/tokens` api (#32085) (#32092)
Backport #32085 by @KN4CK3R

Fixes #32078

- Add missing scopes output.
- Disallow empty scope.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-09-22 18:02:09 +00:00
wxiaoguang 2891edbbcb
Refactor CSRF protector (#32057) (#32069)
#32057 improves the CSRF handling and is worth to backport
2024-09-18 17:02:45 +00:00
Giteabot e6395e1e81
Handle invalid target when creating releases using API (#31841) (#32043)
Backport #31841 by @kemzeb

A 500 status code was thrown when passing a non-existent target to the
create release API. This snapshot handles this error and instead throws
a 404 status code.

Discovered while working on #31840.

Co-authored-by: Kemal Zebari <60799661+kemzeb@users.noreply.github.com>
2024-09-17 02:23:40 +00:00
Giteabot 3d7d0c36e7
Check if the `due_date` is nil when editing issues (#32035) (#32042)
Backport #32035 by @Zettat123

Fix #32030

Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-09-15 01:31:34 +08:00
Lunny Xiao 30d989d411
Fix container parallel upload bugs (#32022)
This PR should be replaced by #31860 in v1.23. The aim of creating this
PR is to fix it in 1.22 because globallock hasn't been introduced.

Fix #27640
Fix #29563
Fix #31215
2024-09-12 03:11:03 +00:00
Giteabot b39aa8528b
Fix nuget/conan/container packages upload bugs (#31967) (#31982)
Backport #31967 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-09-05 07:34:41 +00:00
Lunny Xiao 9c990ac043
Add lock for parallel maven upload (#31954)
Backport #31851 
Fix #30171
2024-09-03 14:33:28 +08:00
yp05327 cc1520221a
Fix sort order for organization home and user profile page (#31921) (#31922)
Backport #31921
2024-09-02 07:58:18 +00:00
Giteabot b5500cded1
Fix 500 error when `state` params is set when editing issue/PR by API (#31880) (#31952)
Backport #31880 by @yp05327

A quick fix for #31871

Co-authored-by: yp05327 <576951401@qq.com>
2024-09-01 18:38:10 +00:00
Giteabot 1d98d4e69a
Fix search team (#31923) (#31942)
Backport #31923 by @lunny

Fix #20658

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-08-30 00:05:21 +08:00
Lunny Xiao e060ae88e5
Don't return 500 if mirror url contains special chars (#31859) (#31895)
Backport #31859
2024-08-22 00:10:50 +08:00
Giteabot 0affb5c775
add CfTurnstileSitekey context data to all captcha templates (#31874) (#31876)
Backport #31874 by @bohde

In the OpenID flows, the "CfTurnstileSitekey" wasn't populated, which
caused those flows to fail if using Turnstile as the Captcha
implementation.

This adds the missing context variables, allowing Turnstile to be used
in the OpenID flows.

Co-authored-by: Rowan Bohde <rowan.bohde@gmail.com>
2024-08-20 14:45:08 +00:00
Giteabot 3fe1f73268
Fix raw wiki links (#31825) (#31845)
Backport #31825 by @Zettat123

Fix #31395

This regression is introduced by #30273. To find out how GitHub handles
this case, I did [some
tests](https://github.com/go-gitea/gitea/issues/31395#issuecomment-2278929115).

I use redirect in this PR instead of checking if the corresponding `.md`
file exists when rendering the link because GitHub also uses redirect.
With this PR, there is no need to resolve the raw wiki link when
rendering a wiki page. If a wiki link points to a raw file, access will
be redirected to the raw link.

---------

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-08-17 03:19:26 +00:00
Giteabot 1cf8f69b38
Avoid returning without written ctx when posting PR (#31843) (#31848)
Backport #31843 by @wolfogre

Fix #31625.

If `pull_service.NewPullRequest` return an error which misses each `if`
check, `CompareAndPullRequestPost` will return immediately, since it
doesn't write the HTTP response, a 200 response with empty body will be
sent to clients.

```go
	if err := pull_service.NewPullRequest(ctx, repo, pullIssue, labelIDs, attachments, pullRequest, assigneeIDs); err != nil {
		if repo_model.IsErrUserDoesNotHaveAccessToRepo(err) {
			ctx.Error(http.StatusBadRequest, "UserDoesNotHaveAccessToRepo", err.Error())
		} else if git.IsErrPushRejected(err) {
			// ...
			ctx.JSONError(flashError)
		} else if errors.Is(err, user_model.ErrBlockedUser) {
			// ...
			ctx.JSONError(flashError)
		} else if errors.Is(err, issues_model.ErrMustCollaborator) {
			// ...
			ctx.JSONError(flashError)
		}
		return
	}
```

Not sure what kind of error can cause it to happen, so this PR just
expose it. And we can fix it when users report that creating PRs failed
with error responses.

It's all my guess since I cannot reproduce the problem, but even if it's
not related, the code here needs to be improved.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-08-16 13:50:12 -04:00
Giteabot 771fb453a1
Add missing repository type filter parameters to pager (#31832) (#31837)
Backport #31832 by @yp05327

Fix #31807

ps: the newly added params's value will be changed.
When the first time you selected the filter, the values of params will
be `0` or `1`
But in pager it will be `true` or `false`.
So do we have `boolToInt` function?

Co-authored-by: yp05327 <576951401@qq.com>
2024-08-16 20:41:45 +08:00
Giteabot a39fe53252
Show lock owner instead of repo owner on LFS setting page (#31788) (#31817)
Backport #31788 by @wolfogre

Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

Co-authored-by: Jason Song <i@wolfogre.com>
2024-08-11 15:17:34 +00:00
Bo-Yi Wu e563297c34
fix(api): owner ID should be zero when created repo secret (#31715) (#31811)
- Change condition to include `RepoID` equal to 0 for organization
secrets

Backport https://github.com/go-gitea/gitea/pull/31715 by @appleboy

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2024-08-10 00:21:51 +08:00
Giteabot 8d11946d67
Fix protected branch files detection on pre_receive hook (#31778) (#31796)
Backport #31778 by @lunny

Fix #31738

When pushing a new branch, the old commit is zero. Most git commands
cannot recognize the zero commit id. To get the changed files in the
push, we need to get the first diverge commit of this branch. In most
situations, we could check commits one by one until one commit is
contained by another branch. Then we will think that commit is the
diverge point.

And in a pre-receive hook, this will be more difficult because all
commits haven't been merged and they actually stored in a temporary
place by git. So we need to bring some envs to let git know the commit
exist.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-08-08 03:08:30 +00:00
Giteabot 82003a3b47
Fix wiki revision pagination (#31760) (#31772)
Backport #31760 by @lunny

Fix #31755

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-08-04 10:45:41 +08:00
Giteabot 8591c918f6
Fix the display of project type for deleted projects (#31732) (#31734)
Backport #31732 by @yp05327

Fix: #31727
After:

![image](https://github.com/user-attachments/assets/1dfb4b31-3bd6-47f7-b126-650f33f453e2)

Co-authored-by: yp05327 <576951401@qq.com>
2024-07-30 14:05:14 +08:00
Giteabot ec467c344f
Set owner id to zero when GetRegistrationToken for repo (#31725) (#31729)
Backport #31725 by @wolfogre

Fix #31707.

It's split from #31724.

Although #31724 could also fix #31707, it has change a lot so it's not a
good idea to backport it.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-07-30 09:57:43 +08:00
Giteabot 7b37f77f1a
Fix API endpoint for registration-token (#31722) (#31728)
Backport #31722 by @wolfogre

Partially fix #31707. Related to #30656.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-07-29 21:15:07 +03:00
yp05327 d3f0867204
Add permission check when creating PR (#31033) (#31720)
Backport #31033

user should be a collaborator of the base repo to create a PR
2024-07-29 14:11:29 +08:00
wxiaoguang 042e9fcd81
Fix rendered wiki page link (#31398) (#31407)
Backport #31398

Fix #31395
2024-06-19 11:23:24 +08:00
wxiaoguang fa307167f9
Fix missing images in editor preview due to wrong links (#31299) (#31393)
Backport #31299

Parse base path and tree path so that media links can be correctly
created with /media/.

Resolves #31294

---------

Co-authored-by: Brecht Van Lommel <brecht@blender.org>
2024-06-17 15:07:21 +08:00
Giteabot 3f44844244
Allow downloading attachments of draft releases (#31369) (#31380)
Backport #31369 by Zettat123

Fix #31362

Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-06-16 20:55:14 +08:00
wxiaoguang 52925e9c7c
Fix duplicate sub-path for avatars (#31365) (#31368)
Backport #31365, only backport necessary changes.
2024-06-15 03:44:44 +00:00
Giteabot b1ad8ccb73
Reduce memory usage for chunked artifact uploads to MinIO (#31325) (#31338)
Backport #31325 by @bohde

When using the MinIO storage driver for Actions Artifacts, we found that
the chunked artifact required significantly more memory usage to both
upload and merge than the local storage driver. This seems to be related
to hardcoding a value of `-1` for the size to the MinIO client [which
has a warning about memory usage in the respective
docs](https://pkg.go.dev/github.com/minio/minio-go/v7#Client.PutObject).
Specifying the size in both the upload and merge case reduces memory
usage of the MinIO client.

Co-authored-by: Rowan Bohde <rowan.bohde@gmail.com>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-06-12 16:25:46 +02:00
Giteabot 1dc8a66074
Remove sub-path from container registry realm (#31293) (#31300)
Backport #31293 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-06-10 12:04:49 +08:00
Giteabot c07416b3d0
Fix Activity Page Contributors dropdown (#31264) (#31269)
Backport #31264 by wxiaoguang

Fix #31261

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-06-06 08:14:00 +00:00
Thomas Desveaux ca414a7ccf
Fix NuGet Package API for $filter with Id equality (#31188) (#31242)
Backport #31188

Fixes issue when running `choco info pkgname` where `pkgname` is also a
substring of another package Id.

Relates to #31168

---

This might fix the issue linked, but I'd like to test it with more choco
commands before closing the issue in case I find other problems if
that's ok.
I'm pretty inexperienced with Go, so feel free to nitpick things.

Not sure I handled
[this](70f87e11b5/routers/api/packages/nuget/nuget.go (L135-L137))
in the best way, so looking for feedback on if I should fix the
underlying issue (`nil` might be a better default for `Value`?).

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-06-04 14:56:59 +03:00