Commit graph

618 commits

Author SHA1 Message Date
Gusted
ce10ec2878 [SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128

(cherry picked from commit 5a871f6095)
2024-08-28 08:44:58 +00:00
Giteabot
4c5e4e672d
Show lock owner instead of repo owner on LFS setting page (#31788) (#31817)
Backport #31788 by @wolfogre

Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit a39fe5325266f1c079e0e54abc68e6470764eb44)

Conflicts:
	models/git/lfs_lock.go
  trivial context conflict
2024-08-18 07:01:03 +02:00
Zoupers Zou
8e8a07cc15
Fix #31185 try fix lfs download from bitbucket failed (#31201)
Fix #31185

(cherry picked from commit e25d6960b5749fbf7f88ebb6b27878c0459817da)
(cherry picked from commit baad8337f9)
2024-08-18 07:01:03 +02:00
Michael Kriese
7e847ad879 fix(agit): run full pr checks on force-push
(cherry picked from commit 2d05e922a2)
2024-08-13 18:26:33 +00:00
Gusted
e988d1a8bb [BUG] Return blocking errors as JSON errors
- These endspoints are since b71cb7acdc
JSON-based and should therefore return JSON errors.
- Integration tests adjusted.

(cherry picked from commit d97cf0e854)
2024-08-10 05:53:00 +00:00
TheFox0x7
072dd9f8bc enable linter testifylint on v7 (#4572)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4572
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>
2024-07-30 19:42:06 +00:00
Gusted
bcc1e17775 [UI] Show AGit label on merged PR
- The label wasn't show on merged PRs.
- Integration test added

(cherry picked from commit 358ec8002e)
2024-07-29 14:23:45 +00:00
Earl Warren
9f1302f685 fix(api): issue state change is not idempotent
The PATCH if issue & pull request switched to use the service
functions instead. However, the service function changing the state is
not idempotent. Instead of doing nothing which changing from open to
open or close to close, it will fail with an error like:

 Issue [2472] 0 was already closed

Regression of: 6a4bc0289d

Fixes: https://codeberg.org/forgejo/forgejo/issues/4686
(cherry picked from commit e9e3b8c0f3)
2024-07-25 14:21:00 +00:00
Ikuyo
19dd7e9ebc Add missing trailing comma
(cherry picked from commit 859cc23dc2)
2024-07-23 13:01:36 +00:00
Ikuyo
422fe11271 Add devtest in reserved usernames test
(cherry picked from commit 90c0e9dace)
2024-07-23 13:01:36 +00:00
0ko
2dc87d389d
[v7.0/forgejo] ui: fix issue labels
* Fixes https://codeberg.org/forgejo/forgejo/issues/4522
* Fixes https://codeberg.org/forgejo/forgejo/issues/4522#issuecomment-2095542
* Fixes https://codeberg.org/forgejo/forgejo/issues/4544
* Fixes regression of https://codeberg.org/forgejo/forgejo/pulls/4486
* Fixes regression of some cherry-pick
* Fixes an overflow that wasn't even reported

* Revert changes done in https://codeberg.org/forgejo/forgejo/pulls/4486.
* Apply changes proposed in https://codeberg.org/forgejo/forgejo/issues/3875#issuecomment-1840611.
* Introduce new label `ugc-labels` to mark ui labels that are named by
users and therefore need special care. Currently the generic label
classes are used for too many things to work with them directly without
affecting other UI.
2024-07-23 00:53:32 +02:00
Gusted
2eac7b1402
[BUG] Fix panic on too high page number
- Fixes a panic where the file history router would panic if the page
number was set to a page where no commits would be returned. It now
returns a 404 in such case.
- Regresion of a5b1c1b0b3
- Panic log provided by @algernon.
- Minimal integration test added.

(cherry picked from commit 6a49e3f468)

Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-07-22 14:31:05 +02:00
Earl Warren
59a8bed2a2 Merge pull request '[v7.0/forgejo] Load attachments for /issues/comments/{id}' (#4528) from bp-v7.0/forgejo-fc4f914 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4528
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-07-16 13:49:59 +00:00
Gergely Nagy
9f592578f4 Load attachments for /issues/comments/{id}
The `/repos/{owner}/{repo}/issues/comments/{id}` API endpoint returns an
`assets` field, but the route handler did not load attachments, thus,
the field was never populated.

This patch fixes that, and adds a test to exercise it. The test fails
without the fix.

This addresses a bug discovered in Codeberg/Community#1607.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit fc4f914e71)
2024-07-16 12:44:47 +00:00
Gergely Nagy
61f36020cd Fix user search paging
When searching for users, page the results by default, and respect the
default paging limits.

This makes queries like '/api/v1/users/search?limit=1' actually work.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 9b85f97835)
2024-07-16 10:50:36 +00:00
Gusted
b2d3ae4dc0 [UI] Remove unnecessary vertical space in empty labels list
- Don't show the labels-list element, if no labels are selected.
- The labels-list was taking up vertical space, even if no labels were
selected which caused an inconsistency in how the sidebar looked.
- Adds integration test

(cherry picked from commit 013b89eb13)
2024-07-14 14:40:50 +00:00
Gusted
2e0e0b48f0 [BUG] Use correct SHA in GetCommitPullRequest
- The param wasn't `sha`, it was `ref`. Use this instead.
- Adds new integration tests.
- Resolves #4190
- Resolves #4025

(cherry picked from commit a8460bb132)
2024-07-06 21:00:31 +00:00
0ko
d3a0eb3bdd ui: fix wrong string used in a search box (#4258)
Resolves https://codeberg.org/forgejo/forgejo/issues/4256.
Fixes regression caused by https://github.com/go-gitea/gitea/pull/29530/files#diff-b46ae540c8eb41d1ccaa1659489fcc47d72eee4c4f04dc83c5ccf4d6d1a3395eR45.

Preview:
Before - https://codeberg.org/forgejo/forgejo/attachments/d629f2e9-0d07-4719-9250-52d3ba9f4a9e
After - https://codeberg.org/forgejo/forgejo/attachments/6a5f5cb2-124d-4673-a387-8483125a89eb

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4258
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
(cherry picked from commit 28ceec6fad)
2024-06-28 16:29:11 +00:00
Twenty Panda
cc425ad87b test: coverage for /repos/{owner}/{repo}/issues?project=
Refs: https://codeberg.org/forgejo/forgejo/pulls/4215#issuecomment-2040651
(cherry picked from commit b18ba810a5)
2024-06-23 19:35:08 +00:00
Thomas Desveaux
f8774e3611
Fix NuGet Package API for $filter with Id equality (#31188) (#31242)
Backport #31188

Fixes issue when running `choco info pkgname` where `pkgname` is also a
substring of another package Id.

Relates to #31168

---

This might fix the issue linked, but I'd like to test it with more choco
commands before closing the issue in case I find other problems if
that's ok.
I'm pretty inexperienced with Go, so feel free to nitpick things.

Not sure I handled
[this](70f87e11b5/routers/api/packages/nuget/nuget.go (L135-L137))
in the best way, so looking for feedback on if I should fix the
underlying issue (`nil` might be a better default for `Value`?).

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit ca414a7ccf5e26272662e360c44ac50221a0f2d4)
2024-06-09 11:49:18 +02:00
Earl Warren
8f88817c00 test(oauth): RFC 6749 Section 10.2 conformance
See:

1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client

(cherry picked from commit 592469464b)
2024-06-06 10:01:56 +00:00
Earl Warren
40bf161ff0 test(oauth): coverage for the redirection of a denied grant
See 886a675f62 Return `access_denied` error when an OAuth2 request is denied

(cherry picked from commit 32c882af91)
2024-06-05 14:19:38 +00:00
Lunny Xiao
d462b6d495
Fix push multiple branches error with tests (#31151)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)

Conflicts:
	tests/integration/git_push_test.go
	trivial context conflict because of
	2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
2024-06-03 09:47:51 +02:00
Earl Warren
bad8e72bcd
tests(integration): add TestPullMergeBranchProtect
Verify variations of branch protection that are in play when merging a
pull request as:

* instance admin
* repository admin / owner
* user with write permissions on the repository

In all cases the result is expected to be the same when merging
the pull request via:

* API
* web

Although the implementations are different.

(cherry picked from commit 793421bf59)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
2024-06-02 22:05:08 +02:00
Earl Warren
6827a4a669
test(integration): add protected file to doBranchProtect
A protected file pushed to a protected branch branch is not allowed.

(cherry picked from commit e0eba21ab7)
2024-06-02 22:00:40 +02:00
Earl Warren
e0cd813927
test(integration): refactor doBranchProtectPRMerge
* group test cases to clarify their purpose
* remove pull request branch protection tests, they are redundant
  with TestPullMergeBranchProtect

(cherry picked from commit 0d8478b82e)

Conflicts:
	tests/integration/git_test.go
	trivial context conflict
2024-06-02 22:00:18 +02:00
Earl Warren
9b17f6fd24
test(integration): refactor testPullMerge
* split into testPullMergeForm which can be called directly if
  the caller wants to specify extra parameters.
* testPullMergeForm can expect something different than StatusOK

(cherry picked from commit 20591d966e)
2024-06-02 21:53:46 +02:00
Earl Warren
9cd730a063
test(integration): refactor doAPIMergePullRequest
* http.StatusMethodNotAllowed can be expected: only retry if the
  error message is "Please try again later"
* split into doAPIMergePullRequestForm which can be called directly if
  the caller wants to specify extra parameters.

(cherry picked from commit 49aea9879b)
2024-06-02 21:53:46 +02:00
Earl Warren
68d803aae4
test(integration): refactor doProtectBranch
explicitly specify the parameters instead of providing them as
arguments so the caller has a more fine grain control over them.

(cherry picked from commit 70aa294cc1)
2024-06-02 21:53:46 +02:00
Earl Warren
b4d792d2a2
test(integration): add t.Helper() to reduce stack polution
Without the a testify stack is likely to not show the relevant test.

(cherry picked from commit 4c2ed3c35d)
2024-06-02 21:53:46 +02:00
Earl Warren
4cbfd383e9 tests(api): POST /repos/{owner}/{repo}/push_mirrors coverage
(cherry picked from commit 166bb2861f)
2024-06-02 15:45:31 +00:00
Jade Lovelace
900381d6e9 Add an immutable tarball link to archive download headers for Nix
This allows `nix flake metadata` and nix in general to lock a *branch*
tarball link in a manner that causes it to fetch the correct commit even
if the branch is updated with a newer version.

For further context, Nix flakes are a feature that, among other things,
allows for "inputs" that are "github:someuser/somerepo",
"https://some-tarball-service/some-tarball.tar.gz",
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
tarballs of git-based inputs to their builds rather than using git to
fetch them, saving significant download time.

There is presently no gitea or forgejo specific fetcher in Nix, and we
don't particularly wish to have one. Ideally (as a developer on a Nix
implementation myself) we could just use the generic tarball fetcher and
not add specific forgejo support, but to do so, we need additional
metadata to know which commit a given *branch* tarball represents, which
is the purpose of the Link header added here.

The result of this patch is that a Nix user can specify `inputs.something.url =
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
and get a link to some concrete tarball for the actual commit in the
lock file, then when they run `nix flake update` in the future, they
will get the latest commit in that branch.

Example of it working locally:

 » nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
Resolved URL:  http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
Locked URL:    804ede182b.tar.gz?dir=configs
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
Description:   Computers with the nixos
Path:          /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
Revision:      804ede182b6b66469b23ea4d21eece52766b7a06
Last modified: 2024-05-02 00:48:32

For details on the header value, see:
56763ff918/doc/manual/src/protocols/tarball-fetcher.md

(cherry picked from commit 6631f56ebf)
2024-05-29 18:50:14 +00:00
Earl Warren
75554579a6 Merge pull request '[v7.0/forgejo] mysql: faster user deletion (hook_task query) for mariadb 10' (#3888) from bp-v7.0/forgejo-4ffda65-bb165fa into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3888
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-24 13:45:38 +00:00
oliverpool
cef84d7abf test: check hook_task deletion
move test to integration to ensure Sqlite + MySQL testing

(cherry picked from commit bb165fadf6)
2024-05-24 12:46:33 +00:00
Gergely Nagy
9ac51ddeb7 tests: Add a test for code expansion on PRs
This adds a new test case to `TestCompareCodeExpand` to exercise the
case where we're viewing a PR's diff.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit fd9ee1901b)
2024-05-24 12:45:35 +00:00
wxiaoguang
d3b4f9d326 Fix incorrect "blob excerpt" link when comparing files (#31013)
When comparing files between the base repo and forked repo, the "blob
excerpt" link should point to the forked repo, because the commit
doesn't exist in base repo.

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit f48cc501c46a2d34eb701561f01d888d689d60d5)

Conflicts:
	- templates/repo/diff/section_split.tmpl
	- templates/repo/diff/section_unified.tmpl
          Resolved the conflict by picking Gitea's change over ours, and
	  porting it.
	- tests/integration/compare_test.go
	  Kept our test, but picked the "compare all of the relevant
	  links" part of the Gitea test.
(cherry picked from commit a62a887649)
2024-05-24 12:45:35 +00:00
Gergely Nagy
ef4c6abbb9 badges: Relax the default workflow badge conditions
Previously, if no branch was explicitly specified for a workflow, it
defaulted to the default branch of the repo. This worked fine for
workflows that were triggered on push, but it prevented showing badges
for workflows that only run on tags, or on schedule - since they do not
run on a specific branch.

Thus, relax the conditions, and if no branch is specified, just return
the latest run of the given workflow. If one is specified, *then*
restrict it to said branch.

Fixes #3487.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit d6915f4d5f)
2024-05-20 10:47:25 +00:00
Earl Warren
4ecbb2ef1b Merge pull request '[gitea] week 2024-20-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#3772) from earl-warren/wcp/2024-20-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3772
Reviewed-by: Beowulf <beowulf@noreply.codeberg.org>
2024-05-16 15:36:08 +00:00
oliverpool
d877f18092 test-sha256: APICreateFile
(cherry picked from commit 67effd6985)
2024-05-16 13:07:14 +00:00
oliverpool
32a0e1e2b4 test-sha256: APICreateBranch
(cherry picked from commit df8aaeb1d5)
2024-05-16 13:07:14 +00:00
oliverpool
ab4570d0cb test-sha256: PushDeployKeyOnEmptyRepo
(cherry picked from commit 348182f4b3)
2024-05-16 13:07:14 +00:00
oliverpool
7c40672ddf test: useless duplication
(cherry picked from commit e3e82d02ad)
2024-05-16 13:07:14 +00:00
oliverpool
6de1f714f3 test: hook post-receive for sha256 repos
failing push-to-create for sha256 will be fixed in a followup PR

(cherry picked from commit 2ac3dcbd43)
2024-05-15 21:08:15 +00:00
Zettat123
65529bd334
Update issue indexer after merging a PR (#30715)
Fix #30684

(cherry picked from commit f09e68ec33262d5356779572a0b1c66e6e86590f)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
(cherry picked from commit 8f0f6bf89c)

(cherry picked from commit df5513978a630355a28b6b42fcc63fe5d70652d8)
2024-05-14 16:00:57 +02:00
Lunny Xiao
d91839692f
Fix various problems around projects board view (#30696)
The previous implementation will start multiple POST requests from the
frontend when moving a column and another bug is moving the default
column will never be remembered in fact.

- [x] This PR will allow the default column to move to a non-first
position
- [x] And it also uses one request instead of multiple requests when
moving the columns
- [x] Use a star instead of a pin as the icon for setting the default
column action
- [x] Inserted new column will be append to the end
- [x] Fix #30701 the newly added issue will be append to the end of the
default column
- [x] Fix when deleting a column, all issues in it will be displayed
from UI but database records exist.
- [x] Add a limitation for columns in a project to 20. So the sorting
will not be overflow because it's int8.

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a303c973e0264dab45a787c4afa200e183e0d953)

Conflicts:
	routers/web/web.go
	e91733468ef726fc9365aa4820cdd5f2ddfdaa23 Add missing database transaction for new issue (#29490) was not cherry-picked
	services/issue/issue.go
	fe6792dff3 Enable/disable owner and repo projects independently (#28805) was not cherry-picked
(cherry picked from commit 7d3ca90dfe)

(cherry picked from commit 084bec89ed7ae0816fc2d8db6784ad22523d1fc4)
2024-05-14 15:51:15 +02:00
Gergely Nagy
dc13eecc04 Expand code diffs against the commits repo
When expanding code diffs, the expansion should search for more context
in the commits repo, rather than in the repo in context, because the
commit may not be available in the base repo. For example, when
previewing a pull request, the commit is not in the target repo yet -
it's in the fork.

Fixes #3746.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 220c3fe3b3)
2024-05-14 12:06:44 +00:00
Gergely Nagy
00cfe9aef9 templates: Be more forgiving about missing package metadata
When rendering templates for packages, be more forgiving about missing
metadata. For some repository types - like maven - metadata is uploaded
separately. If that upload fails, or does not happen, there will be no
metadata.

In that case, Forgejo should handle it gracefully, and render as much of
the information as possible, without erroring out. Rendering without
metadata allows one to delete a partial package, while if we throw
errors, that becomes a whole lot harder.

This patch adjusts the generic metadata template, and also the maven
template. There may be more cases of the same problem lying around.

Fixes #3663.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit ac4d535dbf)
2024-05-10 18:10:25 +00:00
Gergely Nagy
9ba48419ba Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 9cb2aa989a)
2024-05-09 18:37:30 +00:00
yp05327
da993b09ad
Fix no edit history after editing issue's title and content (#30814)
Fix #30807

reuse functions in services

(cherry picked from commit a50026e2f30897904704895362da0fb12c7e5b26)

Conflicts:
	models/issues/issue_update.go
	routers/api/v1/repo/issue.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
(cherry picked from commit 6a4bc0289d)
2024-05-07 08:21:38 +01:00
Kemal Zebari
6ae15bc15e
Don't only list code-enabled repositories when using repository API (#30817)
We should be listing all repositories by default.

Fixes #28483.

(cherry picked from commit 9f0ef3621a3b63ccbe93f302a446b67dc54ad725)

Conflict:
   -		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead {
   +		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.HasAccess() {
   because of https://codeberg.org/forgejo/forgejo/pulls/2001
(cherry picked from commit e388822e9d)
2024-05-07 08:17:35 +01:00