Commit graph

4345 commits

Author SHA1 Message Date
Gusted
48fa9c96a7 fix: correct permission loading for limited organisation
- If a organisation is set to be limited visible, then it will still be
visible for signed-in users. However `UnitPermission` didn't take this
into account, it does now.
- Add unit test.
- Resolves #6141

(cherry picked from commit bc9f1e2533)
2024-12-04 17:57:42 +00:00
Earl Warren
a494510972 Merge pull request '[gitea] week 2024-48-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#6064) from earl-warren/wcp/2024-48-v9.0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6064
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-27 18:22:15 +00:00
Rowan Bohde
48872d11ca
allow the actions user to login via the jwt token (#32527)
We have some actions that leverage the Gitea API that began receiving
401 errors, with a message that the user was not found. These actions
use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to
authenticate with the Gitea API. The format of this env var in actions
jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a
corresponding update to `act_runner`) Since it was a JWT, the OAuth
parsing logic attempted to parse it as an OAuth token, and would return
user not found, instead of falling back to look up the running task and
assigning it to the actions user.

Make ACTIONS_RUNTIME_TOKEN in action runners could be used,
attempting to parse Oauth JWTs. The code to parse potential old
`ACTION_RUNTIME_TOKEN` was kept in case someone is running an older
version of act_runner that doesn't support the Actions JWT.

(cherry picked from commit 407b6e6dfc7ee9ebb8a16c7f1a786e4c24d0516e)

Conflicts:
	services/auth/oauth2.go
  trivial context conflicts because OAuth2 scopes are in Forgejo and
  not yet in Gitea
2024-11-24 16:51:29 +00:00
Lunny Xiao
bf520f5184
Fix GetInactiveUsers (#32540)
Fix #31480

(cherry picked from commit 9bf821ae6c108379d22ae11d8d5784a4ed7ad647)

Conflicts:
	models/user/user_test.go
  trivial context conflict
2024-11-24 16:46:39 +00:00
Otto Richter
219d07dc96 fix: Do not delete global Oauth2 applications
(cherry picked from commit 1d5aee6ef8)
2024-11-23 22:48:42 +00:00
Otto Richter
90db3f6132 test: Global OAuth should not be deleted
Expected to fail: Global (instance-wide) OAuth application should not be deleted, but it is

(cherry picked from commit 665d5f7317)
2024-11-23 22:48:41 +00:00
Earl Warren
6f825ab156 Merge pull request '[gitea] week 2024-47-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#5998) from earl-warren/wcp/2024-47-v9.0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5998
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-18 18:30:46 +00:00
Gusted
35435c573a fix: use better code to group UID and stopwatches
- Instead of having code that relied on the result being sorted (which
wasn't specified in the query and therefore not safe to assume so). Use
a map where it doesn't care if the result that we get from the database
is sorted or not.
- Added unit test.

(cherry picked from commit e4eb82b738)
2024-11-17 19:18:45 +00:00
wxiaoguang
9f05c76b7b
Fix nil panic if repo doesn't exist (#32501)
fix  #32496

(cherry picked from commit 985e2a8af3d6468bac3ab178148c38bdbd8414f5)
2024-11-17 11:45:54 +01:00
Gusted
1770117178
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v9: Removed migration - XORM can handle this case automatically without
migration. Add `DEFAULT 'long_term_authorization'`.
2024-11-15 11:33:17 +01:00
Gusted
a88e3e6ac0
fix: anomynous users code search for private/limited user's repository
- Consider private/limited users in the `AccessibleRepositoryCondition`
query, previously this only considered private/limited organization.
This limits the ability for anomynous users to do code search on
private/limited user's repository
- Unit test added.

(cherry picked from commit b70196653f)
2024-11-15 11:32:38 +01:00
Gusted
36300be94e
fix: don't show private forks in forks list
- If a repository is forked to a private or limited user/organization,
the fork should not be visible in the list of forks depending on the
doer requesting the list of forks.
- Added integration testing for web and API route.

(cherry picked from commit 061abe6004)
2024-11-15 11:32:09 +01:00
Earl Warren
397b3cf88f chore(refactor): split ReloadLabels out of LoadLabels in issue model
Functions modifying the labels in the database (DeleteIssueLabel,
NewIssueLabels, NewIssueLabel, ReplaceIssueLabels) need to force
reload them. Instead of:

	issue.isLabelsLoaded = false
	issue.Labels = nil
	if err = issue.LoadLabels(ctx); err != nil {
		return err
	}

They can now use:

	if err = issue.ReloadLabels(ctx); err != nil {
		return err
	}

(cherry picked from commit f06bdb0552)
2024-11-07 10:38:36 +00:00
Earl Warren
bcb72df356 fix: issue labels are not set after deleting one label
Because issue.isLabelsLoaded = false is missing, LoadLabels is a noop
and the issue.Labels is nil.

(cherry picked from commit db899c19d8)
2024-11-07 10:38:36 +00:00
Earl Warren
eda6b436dc fix: labels are missing in the pull request payload removing a label
When ReplaceIssueLabels calls issue.LoadLabels it was a noop because
issue.isLabelsLoaded is still set to true because of the call  to
issue.LoadLabels that was done at the beginning of the function.

(cherry picked from commit c801838690)
2024-11-06 17:38:04 +00:00
Earl Warren
d624a5edd6 fix: Actions PR workflows must update the commit status
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The outcome of the workflow (success or failure) must be associated
with the head sha commit status. Otherwise it cannot be used as a
requirement for merging the pull request (branch protections).

(cherry picked from commit 66c85b7d8b)
2024-11-04 14:10:27 +00:00
Gusted
f0abba3eef fix: use buffered iterate for debian searchpackages
- The driver being used for PostgreSQL doesn't handle interleaved
queries (you start a query, read some rows and start another query while
you didn't finish that query yet), this is the case with using
`.Iterate` from XORM.
- Switch to a variant of what exist in the current codebase of
`db.Iterate`, which is a simple buffered iteration and doesn't keep
queries open, which allow other database operations to happen.
- Unit test added. This doesn't cover that postgres does not error on
this case, as this is not run with a postgres database.
- Resolves #5696

(cherry picked from commit 459ab11a8a)
2024-10-27 00:10:02 +00:00
Zettat123
1913399d81
Always update expiration time when creating an artifact (#32281)
Fix #32256

(cherry picked from commit 9116665e9c1c01d882c919fb3058f7fdb695350e)
2024-10-22 07:28:30 +02:00
Gusted
d5c6036c53 fix: correct SQL query for active issues
- The `OR` should be inside the `AND` condition to not 'bypass' the other
conditions.
- Added minimal unit test.
- Regression from 2675a24649

(cherry picked from commit 0055fdbdc4)
2024-10-20 23:31:54 +00:00
Gusted
642dd61446 fix: Add recentupdated as recognized sort option
- Add `recentupdated` to the `OrderByMap`.
- Add integration testing for organization and user repository sorting.
- Resolves #5612
- Regression from 12e23ee199 where the
`recentupdated` case was not added to the map, but was handled
seperately as a fallback. The regression came into affect when
5a0bc35799 also relied on this map but
didn't handle the `recentupdated` case.

(cherry picked from commit df38c41c7a)
2024-10-20 10:58:07 +00:00
Gusted
fe35a17dbe [BUG] Don't allow owner team with incorrect unit access
- On editting a team, only update the units if the team isn't the
'Owners' team. Otherwise the 'Owners' team end up having all of their
unit access modes set to 'None'; because the request form doesn't send
over any units, as it's simply not shown in the UI.
- Adds a database inconstency check and fix for the case where the
'Owners' team is affected by this bug.
- Adds unit test.
- Adds integration test.
- Resolves #5528
- Regression of https://github.com/go-gitea/gitea/pull/24012

(cherry picked from commit 9de9034400)
2024-10-14 19:59:17 +00:00
Kwonunn
d2d161ad28 fix: don't cancel schedule workflows on push to main branch
(cherry picked from commit b20c0b1469)
2024-10-13 12:25:59 +00:00
Lunny Xiao
ea5a8c7809
Fix bug when a token is given public only
Port of https://github.com/go-gitea/gitea/pull/32204

(cherry picked from commit d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e)

Conflicts:
  routers/api/v1/api.go
	services/context/api.go
  trivial context conflicts
(cherry picked from commit a052d2b602)

Conflicts:
	routers/api/v1/user/user.go
  trivial context conflict (search by email is not in v9.0)
2024-10-11 05:24:23 +03:00
Zettat123
700e9f027b
Fix the logic of finding the latest pull review commit ID (#32139)
Fix #31423

(cherry picked from commit f4b8f6fc40ce2869135372a5c6ec6418d27ebfba)

Conflicts:
	models/fixtures/comment.yml
  comment fixtures have to be shifted because there is one more in Forgejo
2024-10-06 11:34:08 +02:00
Timon van der Berg
81308159fd Repo Activity: count new issues that were closed (#31776)
I'm new to go and contributing to gitea, your guidance is much
appreciated.

This is meant to solve https://github.com/go-gitea/gitea/issues/13309

Previously, closed issues would not be shown under new issues in the
activity tab, even if they were newly created.

changes:
* Split out newlyCreatedIssues from issuesForActivityStatement to count
  both currently open and closed issues.
* Use a seperate function to count active issues to prevent
double-counting issues after the above change.

Result is that new issues that have been closed are shown both under
"new" and "closed".

Signed-off-by: Timon van der Berg <tmnvanderberg@gmail.com>
(cherry picked from commit ebfde845294cc681de6b1fe1adcf27e35f61b89b)
(cherry picked from commit 2675a24649)
2024-09-27 08:13:30 +00:00
Otto Richter
dc9a268d3c i18n: UX improvements: Team permissions and issue closing
Change word order for issue comment actions
-  An attempt to address https://codeberg.org/forgejo/forgejo/issues/2650

Org team permissions improvements

- consistency: added missing dot
- clarity: explain what external units mean
- use dedicated keys to explain the permissions.
- split in read/write permissions
- use explicit labels for accessibility
- ext_wiki.desc and ext_issues.desc are no longer in use.
2024-09-24 19:03:30 +02:00
Earl Warren
a05eae5615
chore(build): use a stable mirror for go-libravatar
It is not actively maintained and
https://strk.kbt.io/git/go-libravatar.git may be unavailable at
times.

Instead of using the GitLab mirror, setup a mirror in Forgejo space,
where it is under the control of Forgejo contributors.

Fixes: https://codeberg.org/forgejo/forgejo/issues/5320
2024-09-14 09:58:49 +02:00
Gusted
63736e8301
[FEAT] Add support for webauthn credential level 3
- For WebAuthn Credential level 3, the `backup_eligible` and
`backup_state` flags are checked if they are consistent with the values
given on login. Forgejo never stored this data, so add a database
migration that makes all webauthn credentials 'legacy' and on the next
first use capture the values of `backup_eligible` and `backup_state`.
As suggested in https://github.com/go-webauthn/webauthn/discussions/219#discussioncomment-10429662
- Adds unit tests.
- Add E2E test.
2024-08-29 10:05:03 +02:00
Earl Warren
9addaedaf3 Merge pull request '[gitea] week 2024-35 cherry pick (gitea/main -> forgejo)' (#5109) from algernon/wcp/2024-35 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5109
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-27 06:09:19 +00:00
Gergely Nagy
3b70949651
feat: Trivial default quota configuration
This adds a new configuration setting: `[quota.default].TOTAL`, which
will be used if no groups are configured for a particular user. The new
option makes it possible to entirely skip configuring quotas via the API
if all that one wants is a total size.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-26 13:25:34 +02:00
Lunny Xiao
dda53569b1
Fix agit automerge (#31207)
(cherry picked from commit 8b92eba21f5c5cca277b8101ada0ea7a1fb32ae0)
2024-08-25 10:47:37 +02:00
Philip Peterson
03508b33a8
[FEAT] Allow pushmirror to use publickey authentication
- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by
@Gusted, so it's fine to change copyright holder to Forgejo).
- Add the option to use SSH for push mirrors, this would allow for the
deploy keys feature to be used and not require tokens to be used which
cannot be limited to a specific repository. The private key is stored
encrypted (via the `keying` module) on the database and NEVER given to
the user, to avoid accidental exposure and misuse.
- CAVEAT: This does require the `ssh` binary to be present, which may
not be available in containerized environments, this could be solved by
adding a SSH client into forgejo itself and use the forgejo binary as
SSH command, but should be done in another PR.
- CAVEAT: Mirroring of LFS content is not supported, this would require
the previous stated problem to be solved due to LFS authentication (an
attempt was made at forgejo/forgejo#2544).
- Integration test added.
- Resolves #4416
2024-08-22 17:05:07 +02:00
Earl Warren
c76a73ad35 Merge pull request '[gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#4998) from earl-warren/wcp/2024-34 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4998
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-20 06:32:09 +00:00
Earl Warren
7e37c4d831 Merge pull request '[BUG] Don't fire notification for comment of pending review' (#4487) from gusted/webhook-issue into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4487
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-19 09:04:50 +00:00
Earl Warren
51620ab0f3 Merge pull request 'Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v1.60.1 (forgejo)' (#4953) from renovate/forgejo-github.com-golangci-golangci-lint-cmd-golangci-lint-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4953
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-19 07:38:14 +00:00
Gusted
15c64122a6
[BUG] Don't fire notification for comment of pending review
- When a comment was updated or deleted and was part of an
pending/ongoing review, it would have triggered a notification, such as
a webhook.
- This patch checks if the comment is part of a pending review and then
does not fire a notification and, in the case of updating a comment,
does not save the content history because this is not necessary if it is
still a "draft" comment given it is a pending comment (there is no need
to see my embarrassing typos).
- Adds integration tests.
- Resolves https://codeberg.org/forgejo/forgejo/issues/4368
2024-08-18 17:04:00 +02:00
Gusted
fe18428806
Fix linting issues 2024-08-18 16:25:13 +02:00
TheFox0x7
8322882265
style: reenable switch check 2024-08-18 15:19:01 +02:00
Lunny Xiao
d5500422c9
Fix panic of ssh public key page after deletion of auth source (#31829)
Fix #31730

This PR rewrote the function `PublicKeysAreExternallyManaged` with a
simple test. The new function removed the loop to make it more readable.

(cherry picked from commit b491b2104f83ee8fc4956c099c427b339291b3be)
2024-08-18 06:28:26 +02:00
Jason Song
7f1db1df3e
Show lock owner instead of repo owner on LFS setting page (#31788)
Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

(cherry picked from commit 0470646d46f90c20f40fde718be6ef8d8c84ee2c)
2024-08-18 05:47:06 +02:00
Jason Song
a627b885c7
Support compression for Actions logs (#31761)
Support compression for Actions logs to save storage space and
bandwidth. Inspired by
https://github.com/go-gitea/gitea/issues/24256#issuecomment-1521153015

The biggest challenge is that the compression format should support
[seekable](https://github.com/facebook/zstd/blob/dev/contrib/seekable_format/zstd_seekable_compression_format.md).
So when users are viewing a part of the log lines, Gitea doesn't need to
download the whole compressed file and decompress it.

That means gzip cannot help here. And I did research, there aren't too
many choices, like bgzip and xz, but I think zstd is the most popular
one. It has an implementation in Golang with
[zstd](https://github.com/klauspost/compress/tree/master/zstd) and
[zstd-seekable-format-go](https://github.com/SaveTheRbtz/zstd-seekable-format-go),
and what is better is that it has good compatibility: a seekable format
zstd file can be read by a regular zstd reader.

This PR introduces a new package `zstd` to combine and wrap the two
packages, to provide a unified and easy-to-use API.

And a new setting `LOG_COMPRESSION` is added to the config, although I
don't see any reason why not to use compression, I think's it's a good
idea to keep the default with `none` to be consistent with old versions.

`LOG_COMPRESSION` takes effect for only new log files, it adds `.zst` as
an extension to the file name, so Gitea can determine if it needs
decompression according to the file name when reading. Old files will
keep the format since it's not worth converting them, as they will be
cleared after #31735.

<img width="541" alt="image"
src="https://github.com/user-attachments/assets/e9598764-a4e0-4b68-8c2b-f769265183c9">

(cherry picked from commit 33cc5837a655ad544b936d4d040ca36d74092588)

Conflicts:
	assets/go-licenses.json
	go.mod
	go.sum
  resolved with make tidy
2024-08-13 06:51:49 +02:00
Edip Emre Bodur
8b6747173a
Fix null requested_reviewer from API (#31773)
If the assign the pull request review to a team, it did not show the
members of the team in the "requested_reviewers" field, so the field was
null. As a solution, I added the team members to the array.

fix #31764

(cherry picked from commit 94cca8846e7d62c8a295d70c8199d706dfa60e5c)
2024-08-13 06:51:49 +02:00
Yaroslav Halchenko
5ae2dbcb14 Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857)
Now that my colleague just posted a wonderful blog post https://blog.datalad.org/posts/forgejo-runner-podman-deployment/ on forgejo runner, some time I will try to add that damn codespell action to work on CI here ;)  meanwhile some typos managed to sneak in and this PR should address them (one change might be functional in a test -- not sure if would cause a fail or not)

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4857
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Yaroslav Halchenko <debian@onerussian.com>
Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-08-08 16:07:35 +00:00
Earl Warren
517637137c Merge pull request '[gitea] week 2024-32 cherry pick (gitea/main -> forgejo)' (#4801) from earl-warren/wcp/2024-32 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4801
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-06 05:47:20 +00:00
Gusted
eb8c125788
[CHORE] Remove SSH DSA tests
- Partially resolves #4659
- Fixes CI.
2024-08-05 20:34:19 +02:00
Gergely Nagy
f121e87aa6
activitypub: Implement an instance-wide actor
An instance-wide actor is required for outgoing signed requests that are
done on behalf of the instance, rather than on behalf of other actors.
Such things include updating profile information, or fetching public
keys.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-05 10:50:26 +02:00
Lunny Xiao
46f9fc2bc6
Rename head branch of pull requests when renaming a branch (#31759)
Fix #31716

(cherry picked from commit 572aaebd96b43bc576fe32187be82f689e855464)
2024-08-04 18:24:10 +02:00
Kemal Zebari
1aaa70fddb
Remove unused code from models/repos/release.go (#31756)
These blocks aren't used anywhere else when doing a grep search.

(cherry picked from commit 0e3d8f80486be11ff53bdd9030a8b32d4f477d19)
2024-08-04 18:24:10 +02:00
Jason Song
0c40cff9a4
Clear up old Actions logs (#31735)
Part of #24256.

Clear up old action logs to free up storage space.

Users will see a message indicating that the log has been cleared if
they view old tasks.

<img width="1361" alt="image"
src="https://github.com/user-attachments/assets/9f0f3a3a-bc5a-402f-90ca-49282d196c22">

Docs: https://gitea.com/gitea/docs/pulls/40

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 687c1182482ad9443a5911c068b317a91c91d586)

Conflicts:
	custom/conf/app.example.ini
	routers/web/repo/actions/view.go
  trivial context conflict
2024-08-04 18:24:10 +02:00
Denys Konovalov
5734499778
add skip secondary authorization option for public oauth2 clients (#31454) (migration v301)
(cherry picked from commit a8d0c879c38e21a8e78db627119bf622d919ee75)
2024-08-04 18:24:10 +02:00