Commit graph

266 commits

Author SHA1 Message Date
Loïc Dachary
de51b21624
[SECURITY] default to pbkdf2 with 320,000 iterations
(cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67)
(cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb)
(cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027)
(cherry picked from commit 2436acb3d986bad08aa134e450420fc4a08f5d62)
(cherry picked from commit 62f50e1c521c30729781e5cd58882e743bb8b851)
(cherry picked from commit dba18925217254d22f76306c0fe1c046c419268e)
(cherry picked from commit 4b58e3b6d41f9e42fd34469184a3c7d4c5205c86)
(cherry picked from commit 12470568569fec0644319d3d263a82bc7acdc0c3)
(cherry picked from commit afbaea700972ddd4cb788d0b6d5e78de5558756a)
(cherry picked from commit dcd4813d96f8d4e429914f4c8f951bd25b23afca)
(cherry picked from commit b51dc963d1625bd7b9869302ec1ae70bbafb4442)
(cherry picked from commit 611e895efd28026fdc4661893172356e76f6c3d0)
(cherry picked from commit fd492a03f5335c138e143e784657f7012484bd8c)
(cherry picked from commit 2c99991f44a15466339bb82b29d455c66795721b)
(cherry picked from commit 7426c1edb4b904424cded473c94c9739fde83ed0)
(cherry picked from commit 373244f8b2d449e8811e488e3a3732ba9bc79eaa)
(cherry picked from commit 4f6efecdb9d932459dd9f4d7ee393a121a7bbb96)
(cherry picked from commit 61d500808e443ce770b06fa1b87728a7785bd387)
(cherry picked from commit 65f8384b6361c39d48df95227b047a20977482be)
(cherry picked from commit 12ed28e734f79203ad6bf94774008715da6efd21)
(cherry picked from commit ec6cdc9e1a9544f4f2b0ad7256ed2a8b15cf5335)
(cherry picked from commit 08653ba05119906e066455a3e3913e66c179dbf3)
(cherry picked from commit d5847c87cbcf0fd15953fb7aeadd1cece989b6c9)
(cherry picked from commit 640a96e19be0c7faedf5aedfd90c15df8dc8f376)
(cherry picked from commit 46177814a9ee8596b58055b57bea5441a893de7f)
(cherry picked from commit b0098f5a80356757107cc4dd58bf24e2acba6b26)
(cherry picked from commit ce5ddeeca9fa39180a2f9630c82007f8e9410867)
(cherry picked from commit 5736fa1025681244b8eefef9a14b0715fa37d9a1)
(cherry picked from commit c43ca210fcbc2589158df8c2c3036dedb00eaa52)
(cherry picked from commit 7f92906bf3c72649dd2668263761ded71cf5ee91)
(cherry picked from commit f726525d2dba5e481f758624e62eeaa3d38be564)
(cherry picked from commit db86c93b0b7d2c1a7c17fcb6047b3d75873f9bbe)
(cherry picked from commit 6751bd93c3faf4be0f29b52b4c41626a244a2a54)
(cherry picked from commit 74bb523ac96062f93f20c174dcc9b1dc7ad94b13)
(cherry picked from commit 94f9045a81ef58ecb6671d1e8f2ad31a7758ea9a)
(cherry picked from commit 5297eac42d905d10060de688963f111cbefe49d4)
(cherry picked from commit 57e3c57c519f41a595845be3f2505610ae8ad690)
(cherry picked from commit c5cacfee51e2e7846234c9dd9c053b6cdfaf3947)
(cherry picked from commit dfa31ee0048dcf5c3b8d6fec6184f665a019f014)
(cherry picked from commit d7d10a76b41079cab423f00a96426a8de19fb876)
(cherry picked from commit 62bd4edd4622ea778d8994d05c535de677819544)
(cherry picked from commit 798c211f86f4ce713ab3fc18411fd72a57a219ef)
(cherry picked from commit 1f645aeceafdf6f4f74864b14d939c4bcdf096be)
(cherry picked from commit 8a8b62e10e9678fe33e32fa75f4b8c78e6aef68f)
(cherry picked from commit d3ff4e1fdfdaa272941d86735c91107f03280294)
(cherry picked from commit 81412571f8daeb4797556ba846ef7d7280844ef2)
(cherry picked from commit e9faa1f4e02c567721d2c28426580a839b96de5e)
(cherry picked from commit bce1ab85f7cef1696a4560f079bc346e813814b2)
2024-02-05 14:44:32 +01:00
Earl Warren
4e5bf59579
[CI] DEFAULT_ACTIONS_URL = https://code.forgejo.org
[CI] Revert "Restrict `[actions].DEFAULT_ACTIONS_URL` to only `github` or `self` (#25581)"

This reverts commit 67bd9d4f1e.

(cherry picked from commit 0547e94023a545fafe82e280dd809e7efd6d86e2)
(cherry picked from commit d21ad654ad0abc243913532326e916899b0e387c)
(cherry picked from commit b905e9d8386c58206234a417769cc17b3be34b62)
(cherry picked from commit 251a5bf235b1723bc2bc324f9e8c03a8668bb5ae)
(cherry picked from commit b370e4769423bec92b0f265f3e3b2b683640024d)
(cherry picked from commit 2cc28d078507027749c14a5448e949ab54b79c66)
(cherry picked from commit ed870a39e98fbb69c435a3a3ef0434fe6163ebe7)
(cherry picked from commit 7bb0c4654ecbbd2feee2c74034c1e2cdca0d6828)
(cherry picked from commit bab1f552c385e3c7d0faa33d28fb8087780ea834)

Conflicts:
	custom/conf/app.example.ini
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1413

[CI] DEFAULT_ACTIONS_URL = https://codeberg.org

(cherry picked from commit 52b364ddbd9ac82b9e6f9c1767db2d6b36165011)
(cherry picked from commit 99887cd5673f6da49664b590ad60c83fdbe25a4a)
(cherry picked from commit cd5788782aa5c2ee8baecd57ca1e7882f0854453)
(cherry picked from commit 71c698a704d307c568f247710550d48f27cca4ce)
(cherry picked from commit 71386241dd741a4fa0b67d59a07d84ac31e0b870)
(cherry picked from commit b7ab05aeac12c44acd117d5a4e8d7b4da2ba4aa7)
(cherry picked from commit e78b9ca59c0af867f94d9c9bfae48f8cc9381224)
(cherry picked from commit edb3adf4606af94ed0ab0bd844ef626a39a99297)
(cherry picked from commit 3e400881975340be9148c4549a744395a6dac665)

[BRANDING] DEFAULT_ACTIONS_URL = https://code.forgejo.org

(cherry picked from commit d0e4512c902dec669da36a055a2ea54adb107e0f)
(cherry picked from commit 8ba6e047095e9ecb107d77361664fa83b03ddaa2)
(cherry picked from commit 63490810449b4189ed8538a22182fde1bc89c057)
(cherry picked from commit e06bd444951d1fd94a71ce3d591a8f397f456363)
(cherry picked from commit d58219d8e13f0b4007108d78f8f6f96a1d842c2c)
(cherry picked from commit 052f2c2aa45ae1aa1d59aaf713db4f771f62773b)
(cherry picked from commit 29dc39538631f65eaaf5dcc4eeb747fbc68d7498)
(cherry picked from commit 9eef3f59f3a1347ccc7d6d3704c9f5b40a3b6555)
(cherry picked from commit d650391fedd5b2cac313e29d51cc8689d885a594)
(cherry picked from commit c2e6e8c55d955f1e2b781c983f05319dddcc4386)
(cherry picked from commit e28a47741dc668421989b6b2310365a6611b23b7)

[CI] DEFAULT_ACTIONS_URL support for self & github (squash)

Refs: https://codeberg.org/forgejo/forgejo/issues/1062
(cherry picked from commit 74cc25376ecd1dbab57abffe286ae1f918057cfd)
(cherry picked from commit 405430708ffbebcfd2cefdcdfd24a540985b817c)
(cherry picked from commit 0274a6dee7f383bcd6b65b995b991b5ab0ee635a)
(cherry picked from commit be5cda0fd03b265367c551aefed83456be257075)
(cherry picked from commit d27474849fc4dd4ec958c04b7be06eced8b74d6e)
(cherry picked from commit 4a5e9e2d81f89b5c9e6782d1c24880d62f802d7f)
(cherry picked from commit 65b31906b27c7a6ecaecf74af748e046c51aa7a8)
(cherry picked from commit 13cf0b0963bb110db7229dc5cd4d202e7dec11fb)

Conflicts:
	custom/conf/app.example.ini
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1413
(cherry picked from commit 49529badce0a43a07a786b22e2a8705a6a1dbe63)

Conflicts:
	custom/conf/app.example.ini
	docs/content/administration/config-cheat-sheet.en-us.md
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1460
(cherry picked from commit 00327b9b1f8512ddb93a07b57fcaee53b701478b)
(cherry picked from commit 3b322e43d5695d540a52259abdde74505241dda9)
(cherry picked from commit 492cc5205908263a2733ba06a6562237406d4c11)

Conflicts:
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1573
(cherry picked from commit 9027b655df24bf47f49cc25d3547b6e49f66dde5)
(cherry picked from commit 47643830286025dbff1538e9a6ffc23b05ea3e4b)
(cherry picked from commit fbb00fd1cf9ecf30292aa3053f41076d7bb9027e)
(cherry picked from commit 417cd6c801bb14b38f672fea3371486c12636ebf)
(cherry picked from commit 6b70773ad817f6f3958e958a58c3d918e7d7f00e)
(cherry picked from commit 9ba069327d0c5179bdae7e22ca580f3c460e9ac1)

Conflicts:
	modules/setting/actions.go
	https://codeberg.org/forgejo/forgejo/pulls/1827
(cherry picked from commit 727edf19ee48648d1464f3bb38f85d82900870fa)
(cherry picked from commit 689326ce2093701e57371759eda23ed9b7781286)
(cherry picked from commit 745d60aec426e40a8ac98199e5f342113b39b871)
(cherry picked from commit cb4ae4582c24552167e692871e697cc02384c054)
(cherry picked from commit 48d5ffe1c0345f612e96acb2459c80431fa94993)

Conflicts:
	custom/conf/app.example.ini
	https://codeberg.org/forgejo/forgejo/pulls/2068
(cherry picked from commit bbd4725bfdd82aa801ec0541c7dbdef9b39dcb1d)
(cherry picked from commit 04eda91d10889febaee3f1b824defb2c0c9fb493)
(cherry picked from commit d3621e46349645ad5e194ba6a21d4f607c403c8c)
(cherry picked from commit 08da63cc4daacabf53ed18f4e521375b49bea8fe)
(cherry picked from commit dc6d291b7127e92ae05bb51c6ae018734fbc3fc7)
2024-02-05 13:33:58 +01:00
Arnaud Morin
dfc1ae15b6
Fixing small space missing in sample config file (#28967) 2024-01-28 14:58:00 +00:00
wackbyte
d9b3849454
Fix inconsistent naming of OAuth 2.0 ENABLE setting (#28951)
Renames it to `ENABLED` to be consistent with other settings and
deprecates it.

I believe this change is necessary because other setting groups such as
`attachment`, `cors`, `mailer`, etc. have an `ENABLED` setting, but
`oauth2` is the only one with an `ENABLE` setting, which could cause
confusion for users.

This is no longer a breaking change because `ENABLE` has been set as
deprecated and as an alias to `ENABLED`.
2024-01-28 12:36:44 +00:00
Viktor Kuzmin
49eb168677
Retarget depending pulls when the parent branch is deleted (#28686)
Sometimes you need to work on a feature which depends on another (unmerged) feature.
In this case, you may create a PR based on that feature instead of the main branch.
Currently, such PRs will be closed without the possibility to reopen in case the parent feature is merged and its branch is deleted.
Automatic target branch change make life a lot easier in such cases.
Github and Bitbucket behave in such way.

Example:
$PR_1$: main <- feature1
$PR_2$: feature1 <- feature2

Currently, merging $PR_1$ and deleting its branch leads to $PR_2$ being closed without the possibility to reopen.
This is both annoying and loses the review history when you open a new PR.

With this change, $PR_2$ will change its target branch to main ($PR_2$: main <- feature2) after $PR_1$ has been merged and its branch has been deleted.

This behavior is enabled by default but can be disabled.
For security reasons, this target branch change will not be executed when merging PRs targeting another repo. 

Fixes #27062
Fixes #18408

---------

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: delvh <dev.lh@web.de>
2024-01-17 01:44:56 +01:00
wxiaoguang
2df7563f31
Recommend/convert to use case-sensitive collation for MySQL/MSSQL (#28662)
Mainly for MySQL/MSSQL.

It is important for Gitea to use case-sensitive database charset
collation. If the database is using a case-insensitive collation, Gitea
will show startup error/warning messages, and show the errors/warnings
on the admin panel's Self-Check page.

Make `gitea doctor convert` work for MySQL to convert the collations of
database & tables & columns.

* Fix #28131

## ⚠️ BREAKING ⚠️

It is not quite breaking, but it's highly recommended to convert the
database&table&column to a consistent and case-sensitive collation.
2024-01-10 11:03:23 +00:00
Kyle D
54acf7b0d4
Normalize oauth email username (#28561) 2024-01-03 18:48:20 -06:00
Yarden Shoham
cdc33b29a0
Add global setting how timestamps should be rendered (#28657)
- Resolves https://github.com/go-gitea/gitea/issues/22493
- Related to https://github.com/go-gitea/gitea/issues/4520

Some admins prefer all timestamps to display the full date instead of
relative time. They can do that now by setting

```ini
[ui]
PREFERRED_TIMESTAMP_TENSE = absolute
```

This setting is set to `mixed` by default, allowing dates to render as
"5 hours ago". Here are some screenshots of the UI with this setting set
to `absolute`:

![image](https://github.com/go-gitea/gitea/assets/20454870/f496457f-6afa-44be-a1e7-249ee5fe0706)

![image](https://github.com/go-gitea/gitea/assets/20454870/c03b14f5-063d-4e13-9780-76ab002d76a9)

![image](https://github.com/go-gitea/gitea/assets/20454870/f4b34e28-1546-4374-9199-c43348844edd)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: delvh <dev.lh@web.de>
2024-01-02 09:25:30 +08:00
wxiaoguang
19b1b698c9
Improve document for ARTIFACT_RETENTION_DAYS (#28646)
Follow #28626
2023-12-29 06:44:58 +00:00
wxiaoguang
b41925cee3
Refactor CORS handler (#28587)
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
2023-12-25 20:13:18 +08:00
Lunny Xiao
177cea7c70
Make offline mode as default to no connect external avatar service by default (#28548)
To keep user's privacy, make offline mode as true by default.

Users can still change it from installation ui and app.ini
2023-12-21 07:42:16 +00:00
Lunny Xiao
e7cb8da2a8
Always enable caches (#28527)
Nowadays, cache will be used on almost everywhere of Gitea and it cannot
be disabled, otherwise some features will become unaviable.

Then I think we can just remove the option for cache enable. That means
cache cannot be disabled.
But of course, we can still use cache configuration to set how should
Gitea use the cache.
2023-12-19 09:29:05 +00:00
wxiaoguang
20929edc99
Add option to disable ambiguous unicode characters detection (#28454)
* Close #24483
* Close #28123
* Close #23682
* Close #23149

(maybe more)
2023-12-17 14:38:54 +00:00
Jack Hay
4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
Denys Konovalov
816e46ee7c
add skip ci functionality (#28075)
Adds the possibility to skip workflow execution if the commit message
contains a string like [skip ci] or similar.

The default strings are the same as on GitHub, users can also set custom
ones in app.ini

Reference:
https://docs.github.com/en/actions/managing-workflow-runs/skipping-workflow-runs

Close #28020
2023-11-18 13:37:08 +02:00
Nanguan Lin
0678c82265
Change default size of issue/pr attachments and repo file (#27946)
As title. Some attachments and file sizes can easily be larger than
these limits
2023-11-13 14:19:22 +00:00
6543
16ba16dbe9
Allow to set explore page default sort (#27951)
as title


---
*Sponsored by Kithara Software GmbH*
2023-11-09 10:11:45 +00:00
6543
8ef169a173
Document REACTION_MAX_USER_NUM setting option (#27954)
4a0103fa29/modules/setting/ui.go (L24)

4a0103fa29/modules/setting/ui.go (L77)

---
*Sponsored by Kithara Software GmbH*
2023-11-08 01:50:31 +01:00
MiloCubed
2f2ca8c940
[docs] Add note that PROTOCOL config is case-sensitive (#25685)
See [issue on
gitea.com](https://gitea.com/gitea/gitea-docusaurus/issues/38), copied
below for convenience:
> Hello, may I first confirm that the app.ini PROTOCOL config is case
sensitive (must be lowercase)?
> 
> If so, I'd like to suggest for it to be highlighted in the [HTTPS
Setup](https://docs.gitea.com/administration/https-setup#using-the-built-in-server)
page.
> Perhaps something like:
> For the PROTOCOL=https field, make sure https is lowercase. Writing
PROTOCOL=HTTPS may result in a SSL_ERROR_RX_RECORD_TOO_LONG error on
Firefox or ERR_SSL_PROTOCOL_ERROR on Chrome and Edge.
> 
> Background
> At first I carelessly wrote PROTOCOL=HTTPS in my app.ini, and Firefox
didn't allow me to connect because:
> Secure Connection Failed
> An error occurred during a connection to gitea.local.lan. SSL received
a record that exceeded the maximum permissible length.
> Error code: SSL_ERROR_RX_RECORD_TOO_LONG
> I spent maybe half an hour troubleshooting my certs, ports, and other
configs before backtracking to the start and realizing the
capitalization difference there 😅. When I changed that config to
lowercase, it worked.

For this PR I added the note in the Config Cheat Sheet page and fixed
the links to it from the HTTPS Setup page.

Was originally thinking to put the note in the HTTPS Setup page itself,
but since there are 2 sections referencing the PROTOCOL config, I was
thinking it'd be neater and more concise to put it in the Config Cheat
Sheet page instead. Especially since both sections already link to it,
and I actually tried to check that link quite early on in my
troubleshooting (but didn't pay much attention to it since the link was
broken).

## Before/After screenshots as per [this repo's
docs](https://github.com/go-gitea/gitea/tree/main/docs)

Before - links

![image](https://github.com/go-gitea/gitea/assets/135522693/e0745077-f6a9-4178-aa78-2155ccb58fd6)
Note: For this the links weren't broken, the links fix is because they
were broken on gitea.com's docs (see below).

After - links

![image](https://github.com/go-gitea/gitea/assets/135522693/748b3759-aa13-4ad0-9811-c6664b6cdd35)

Before - config cheat sheet

![image](https://github.com/go-gitea/gitea/assets/135522693/4ff2e4e6-3528-4cea-a7a6-64a75854eb99)

After - config cheat sheet

![image](https://github.com/go-gitea/gitea/assets/135522693/c8e07ab6-5a26-4582-a4d0-b83d1f11a30e)


## Before/After screenshots as per [gitea.com's
docs](https://gitea.com/gitea/gitea-docusaurus)

Before - links

![image](https://github.com/go-gitea/gitea/assets/135522693/4d26ea67-b987-4b91-810b-c53852a13078)

After - links

![image](https://github.com/go-gitea/gitea/assets/135522693/24d02907-7f9e-4228-a190-7696623c00f7)

Before - config cheat sheet

![image](https://github.com/go-gitea/gitea/assets/135522693/978eedfd-ce05-488d-ab54-9d7f3c9f233d)

After - config cheat sheet

![image](https://github.com/go-gitea/gitea/assets/135522693/12d22566-a2b0-45ec-8302-a88eae9365d8)
2023-10-19 16:14:46 +08:00
Lunny Xiao
7ff1f2527c
Make actions default enabled for newly created repository if global configuraion enabled (#27482) 2023-10-10 14:45:31 +00:00
Jason Song
2c7b6c378e
Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
M Hickford
a825cc0f34
Pre-register OAuth application for tea (#27509)
It remains to implement OAuth login in tea
https://gitea.com/gitea/tea/issues/598

Fixes #27510
2023-10-08 03:51:08 +00:00
silverwind
023e937141
Rename the default themes to gitea-light, gitea-dark, gitea-auto (#27419)
Part of https://github.com/go-gitea/gitea/issues/27097:

- `gitea` theme is renamed to `gitea-light`
- `arc-green` theme is renamed to `gitea-dark`
- `auto` theme is renamed to `gitea-auto`

I put both themes in separate CSS files, removing all colors from the
base CSS. Existing users will be migrated to the new theme names. The
dark theme recolor will follow in a separate PR.

## ⚠️ BREAKING ⚠️

1. If there are existing custom themes with the names `gitea-light` or
`gitea-dark`, rename them before this upgrade and update the `theme`
column in the `user` table for each affected user.
2. The theme in `<html>` has moved from `class="theme-name"` to
`data-theme="name"`, existing customizations that depend on should be
updated.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-10-06 09:46:36 +02:00
Francesco Antognazza
bc21723717
Make Actions tasks/jobs timeouts configurable by the user (#27400)
With this PR we added the possibility to configure the Actions timeouts
values for killing tasks/jobs.
Particularly this enhancement is closely related to the `act_runner`
configuration reported below:
```
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
```

---

Setting the corresponding key in the INI configuration file, it is
possible to let jobs run for more than 3 hours.

Signed-off-by: Francesco Antognazza <francesco.antognazza@gmail.com>
2023-10-02 23:09:26 +02:00
Lunny Xiao
e5ec57cd60
Actions are no longer experimental, so enable them by default (#27054)
This PR makes the actions enabled by default, so people will find it
easier to enable actions in repository setting.
2023-09-15 06:43:39 +00:00
wxiaoguang
998cea5888
Use secure cookie for HTTPS sites (#26999)
If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's
default value should be true.

And, if a user visits an "http" site with "https" AppURL, they won't be
able to login, and they should have been warned. The only problem is
that the "language" can't be set either in such case, while I think it
is not a serious problem, and it could be fixed easily if needed.

![image](https://github.com/go-gitea/gitea/assets/2114189/7bc9a859-dcc1-467d-bc7c-1dd6a10389e3)
2023-09-11 17:03:51 +08:00
Lunny Xiao
e97e883ad5
Add reverseproxy auth for API back with default disabled (#26703)
This feature was removed by #22219 to avoid possible CSRF attack.

This PR takes reverseproxy auth for API back but with default disabled.

To prevent possbile CSRF attack, the responsibility will be the
reverseproxy but not Gitea itself.

For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`,
they should know what they are doing.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-07 08:31:46 +00:00
FuXiaoHei
460a2b0edf
Artifacts retention and auto clean up (#26131)
Currently, Artifact does not have an expiration and automatic cleanup
mechanism, and this feature needs to be added. It contains the following
key points:

- [x] add global artifact retention days option in config file. Default
value is 90 days.
- [x] add cron task to clean up expired artifacts. It should run once a
day.
- [x] support custom retention period from `retention-days: 5` in
`upload-artifact@v3`.
- [x] artifacts link in actions view should be non-clickable text when
expired.
2023-09-06 07:41:06 +00:00
CaiCandong
7477c93d62
Update docs about attachment path (#26883)
This change was caused by #26271, for configuration as below:
```
[attachment]
ENABLE = true
PATH = data/attachments
MAX_SIZE = 100
MAX_FILES = 5
```
Before #26271, the resolved path is ${AppWorkPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/attachments`)
After #26271, the resolved path is ${AppDataPath}/${attachments.PATH}
(such as `/var/lib/gitea/data/data/attachments`)


Fix  https://github.com/go-gitea/gitea/issues/26864
Follow https://github.com/go-gitea/gitea/pull/26271
2023-09-03 11:40:10 +02:00
mainboarder
c533991519
Expanded minimum RSA Keylength to 3072 (#26604)
German Federal Office for Information Security requests in its technical
guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits
starting 2024, in the year 2023 3000bits as a recommendation. Gitea
should request longer RSA Keys by default in favor of security and drop
old clients which do not support longer keys.


https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9
- Page 19, Table 1.2

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-28 00:53:16 +00:00
techknowlogick
b3f7137174
Update minimum password length requirements (#25946) 2023-08-21 19:27:50 +00:00
techknowlogick
b85a57845c
update config docs url (#26640) 2023-08-21 17:14:49 +00:00
Denys Konovalov
63ab92d797
Pre-register OAuth2 applications for git credential helpers (#26291)
This PR is an extended implementation of #25189 and builds upon the
proposal by @hickford in #25653, utilizing some ideas proposed
internally by @wxiaoguang.

Mainly, this PR consists of a mechanism to pre-register OAuth2
applications on startup, which can be enabled or disabled by modifying
the `[oauth2].DEFAULT_APPLICATIONS` parameter in app.ini. The OAuth2
applications registered this way are being marked as "locked" and
neither be deleted nor edited over UI to prevent confusing/unexpected
behavior. Instead, they're being removed if no longer enabled in config.


![grafik](https://github.com/go-gitea/gitea/assets/47871822/81a78b1c-4b68-40a7-9e99-c272ebb8f62e)

The implemented mechanism can also be used to pre-register other OAuth2
applications in the future, if wanted.

Co-authored-by: hickford <mirth.hickford@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

---------

Co-authored-by: M Hickford <mirth.hickford@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-09 14:24:07 +02:00
Panagiotis "Ivory" Vasilopoulos
d58c542579
Add 'Show on a map' button to Location in profile, fix layout (#26214)
Not too important, but I think that it'd be a pretty neat touch.

Also fixes some layout bugs introduced by a previous PR.

---------

Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: Caesar Schinas <caesar@caesarschinas.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-07-31 08:44:45 +00:00
wxiaoguang
8baa42c8d7
Calculate MAX_WORKERS default value by CPU number (#26177)
To avoid consuming user's 100% CPU, limit the default value of
MAX_WORKERS

Fix #26063 (the CPU 100% problem mentioned in it)
2023-07-27 16:40:35 +08:00
wxiaoguang
d0dbe52e76
Refactor to use urfave/cli/v2 (#25959)
Replace #10912

And there are many new tests to cover the CLI behavior

There were some concerns about the "option order in hook scripts"
(https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314),
it's not a problem now. Because the hook script uses `/gitea hook
--config=/app.ini pre-receive` format. The "config" is a global option,
it can appear anywhere.

----

## ⚠️ BREAKING ⚠️

This PR does it best to avoid breaking anything. The major changes are:

* `gitea` itself won't accept web's options: `--install-port` / `--pid`
/ `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's
options.
    * Use `./gitea web --pid ....` instead
* `./gitea` can still run the `web` sub-command as shorthand, with
default options
* The sub-command's options must follow the sub-command
* Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd
--sub-opt` (well, might not ...)
    * After: only `./gitea subcmd --sub-opt` could be used
    * The global options like `--config` are not affected
2023-07-21 17:28:19 +08:00
wxiaoguang
50e14699d3
Update path related documents (#25417)
Update WorkPath/WORK_PATH related documents, remove out-dated
information.

Remove "StaticRootPath" on the admin config display page, because few
end user really need it, it only causes misconfiguration.


![image](https://github.com/go-gitea/gitea/assets/2114189/8095afa4-da76-436b-9e89-2a92c229c01d)

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-19 11:22:57 +02:00
wxiaoguang
faa28b5a44
Move public asset files to the proper directory (#25907)
Move `public/*` to `public/assets/*`

Some old PRs (like #15219) introduced inconsistent directory system.

For example: why the local directory "public" is accessed by
`http://site/assets`? How to serve the ".well-known" files properly in
the public directory?

For convention rules, the "public" directory is widely used for the
website's root directory. It shouldn't be an exception for Gitea.

So, this PR makes the things consistent:

* `http://site/assets/foo` means `{CustomPath}/public/assets/foo`.
* `{CustomPath}/public/.well-known` and `{CustomPath}/public/robots.txt`
can be used in the future.

This PR is also a prerequisite for a clear solution for:
* #21942
* #25892 
* discourse.gitea.io: [.well-known path serving custom files behind
proxy?](https://discourse.gitea.io/t/well-known-path-serving-custom-files-behind-proxy/5445/1)

This PR is breaking for users who have custom "public" files (CSS/JS).
After getting approvals, I will update the documents.

----

## ⚠️ BREAKING ⚠️

If you have files in your "custom/public/" folder, please move them to
"custom/public/assets/".

---------

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-18 18:06:43 +02:00
wxiaoguang
cea9401634
Following-up improvments for various PRs (#25620)
For:

* #22743
* #25408
* #25412
* #25588
2023-07-01 14:00:10 -04:00
Jason Song
67bd9d4f1e
Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581)
Resolve #24789

## ⚠️ BREAKING ⚠️

Before this, `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like
`https://gitea.com` or `http://your-git-server,https://gitea.com`, and
the default value was `https://gitea.com`.

But now, `DEFAULT_ACTIONS_URL` supports only
`github`(`https://github.com`) or `self`(the root url of current Gitea
instance), and the default value is `github`.

If it has configured with a URL, an error log will be displayed and it
will fallback to `github`.

Actually, what we really want to do is always make it
`https://github.com`, however, this may not be acceptable for some
instances of internal use, so there's extra support for `self`, but no
more, even `https://gitea.com`.

Please note that `uses: https://xxx/yyy/zzz` always works and it does
exactly what it is supposed to do.

Although it's breaking, I belive it should be backported to `v1.20` due
to some security issues.

Follow-up on the runner side:

- https://gitea.com/gitea/act_runner/pulls/262
- https://gitea.com/gitea/act/pulls/70
2023-06-30 07:26:36 +00:00
Lunny Xiao
9c62ca5689
Fix default value for LocalURL (#25426)
Fix #23769
2023-06-24 11:56:29 +08:00
Jason Song
375fd15fbf
Refactor indexer (#25174)
Refactor `modules/indexer` to make it more maintainable. And it can be
easier to support more features. I'm trying to solve some of issue
searching, this is a precursor to making functional changes.

Current supported engines and the index versions:

| engines | issues | code |
| - | - | - |
| db | Just a wrapper for database queries, doesn't need version | - |
| bleve | The version of index is **2** | The version of index is **6**
|
| elasticsearch | The old index has no version, will be treated as
version **0** in this PR | The version of index is **1** |
| meilisearch | The old index has no version, will be treated as version
**0** in this PR | - |


## Changes

### Split

Splited it into mutiple packages

```text
indexer
├── internal
│   ├── bleve
│   ├── db
│   ├── elasticsearch
│   └── meilisearch
├── code
│   ├── bleve
│   ├── elasticsearch
│   └── internal
└── issues
    ├── bleve
    ├── db
    ├── elasticsearch
    ├── internal
    └── meilisearch
```

- `indexer/interanal`: Internal shared package for indexer.
- `indexer/interanal/[engine]`: Internal shared package for each engine
(bleve/db/elasticsearch/meilisearch).
- `indexer/code`: Implementations for code indexer.
- `indexer/code/internal`: Internal shared package for code indexer.
- `indexer/code/[engine]`: Implementation via each engine for code
indexer.
- `indexer/issues`: Implementations for issues indexer.

### Deduplication

- Combine `Init/Ping/Close` for code indexer and issues indexer.
- ~Combine `issues.indexerHolder` and `code.wrappedIndexer` to
`internal.IndexHolder`.~ Remove it, use dummy indexer instead when the
indexer is not ready.
- Duplicate two copies of creating ES clients.
- Duplicate two copies of `indexerID()`.


### Enhancement

- [x] Support index version for elasticsearch issues indexer, the old
index without version will be treated as version 0.
- [x] Fix spell of `elastic_search/ElasticSearch`, it should be
`Elasticsearch`.
- [x] Improve versioning of ES index. We don't need `Aliases`:
- Gitea does't need aliases for "Zero Downtime" because it never delete
old indexes.
- The old code of issues indexer uses the orignal name to create issue
index, so it's tricky to convert it to an alias.
- [x] Support index version for meilisearch issues indexer, the old
index without version will be treated as version 0.
- [x] Do "ping" only when `Ping` has been called, don't ping
periodically and cache the status.
- [x] Support the context parameter whenever possible.
- [x] Fix outdated example config.
- [x] Give up the requeue logic of issues indexer: When indexing fails,
call Ping to check if it was caused by the engine being unavailable, and
only requeue the task if the engine is unavailable.
- It is fragile and tricky, could cause data losing (It did happen when
I was doing some tests for this PR). And it works for ES only.
- Just always requeue the failed task, if it caused by bad data, it's a
bug of Gitea which should be fixed.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-06-23 12:37:56 +00:00
wxiaoguang
ce46834b93
Remove "CHARSET" config option for MySQL, always use "utf8mb4" (#25413)
In modern days, there is no reason to make users set "charset" anymore.

Close #25378

## ⚠️ BREAKING

The key `[database].CHARSET` was removed completely as every newer
(>10years) MySQL database supports `utf8mb4` already.
There is a (deliberately) undocumented new fallback option if anyone
still needs to use it, but we don't recommend using it as it simply
causes problems.
2023-06-21 10:49:25 +00:00
Lunny Xiao
e79ff50560
Use the new download domain replace the old (#25405)
As title.
2023-06-21 03:11:17 +00:00
Lunny Xiao
d6dd6d641b
Fix all possible setting error related storages and added some tests (#23911)
Follow up #22405

Fix #20703 

This PR rewrites storage configuration read sequences with some breaks
and tests. It becomes more strict than before and also fixed some
inherit problems.

- Move storage's MinioConfig struct into setting, so after the
configuration loading, the values will be stored into the struct but not
still on some section.
- All storages configurations should be stored on one section,
configuration items cannot be overrided by multiple sections. The
prioioty of configuration is `[attachment]` > `[storage.attachments]` |
`[storage.customized]` > `[storage]` > `default`
- For extra override configuration items, currently are `SERVE_DIRECT`,
`MINIO_BASE_PATH`, `MINIO_BUCKET`, which could be configured in another
section. The prioioty of the override configuration is `[attachment]` >
`[storage.attachments]` > `default`.
- Add more tests for storages configurations.
- Update the storage documentations.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-14 11:42:38 +08:00
silverwind
50bd7d0b24
Remove the service worker (#25010)
It's been disabled by default since 1.17
(https://github.com/go-gitea/gitea/pull/18914), and it never really
delivered any benefit except being another cache layer that has its own
unsolved invalidation issues. HTTP cache works, we don't need two cache
layers at the browser for assets.

## ⚠️ BREAKING

You can remove the config `[ui].USE_SERVICE_WORKER` from your `app.ini`
now.
2023-05-31 02:07:04 +00:00
JakobDev
1b115296d3
Followup to pinned Issues (#24945)
This addressees some things from #24406 that came up after the PR was
merged. Mostly from @delvh.

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
2023-05-30 15:26:51 +00:00
silverwind
c7612d178c
Remove meta tags theme-color and default-theme (#24960)
As discussed in
https://github.com/go-gitea/gitea/pull/24953#issuecomment-1565630156.

## ⚠️ BREAKING ⚠️

1. The `ui.THEME_COLOR_META_TAG` setting has been removed. If you still
need to set the `theme-color` meta tag, add it via
`$GITEA_CUSTOM/templates/custom/header.tmpl` instead.

2. The non-standard `default-theme` meta-tag added in
https://github.com/go-gitea/gitea/pull/13809 has been removed. Third
party code that needs to obtain the currently loaded theme should use
the `theme-<name>` class on the `<html>` node instead, which reflect the
currently active theme.
2023-05-28 22:33:17 +00:00
wxiaoguang
2f149c5c9d
Use [git.config] for reflog cleaning up (#24958)
Follow
https://github.com/go-gitea/gitea/pull/24860#discussion_r1200589651

Use `[git.config]` for reflog cleaning up, the new options are more
flexible.

*
https://git-scm.com/docs/git-config#Documentation/git-config.txt-corelogAllRefUpdates
*
https://git-scm.com/docs/git-config#Documentation/git-config.txt-gcreflogExpire

## ⚠️ BREAKING

The section `[git.reflog]` is now obsolete and its keys have been moved
to the following replacements:
- `[git.reflog].ENABLED` → `[git.config].core.logAllRefUpdates`
- `[git.reflog].EXPIRATION` → `[git.config].gc.reflogExpire`
2023-05-28 01:07:14 +00:00
JakobDev
aaa1094663
Add the ability to pin Issues (#24406)
This adds the ability to pin important Issues and Pull Requests. You can
also move pinned Issues around to change their Position. Resolves #2175.

## Screenshots

![grafik](https://user-images.githubusercontent.com/15185051/235123207-0aa39869-bb48-45c3-abe2-ba1e836046ec.png)

![grafik](https://user-images.githubusercontent.com/15185051/235123297-152a16ea-a857-451d-9a42-61f2cd54dd75.png)

![grafik](https://user-images.githubusercontent.com/15185051/235640782-cbfe25ec-6254-479a-a3de-133e585d7a2d.png)

The Design was mostly copied from the Projects Board.

## Implementation
This uses a new `pin_order` Column in the `issue` table. If the value is
set to 0, the Issue is not pinned. If it's set to a bigger value, the
value is the Position. 1 means it's the first pinned Issue, 2 means it's
the second one etc. This is dived into Issues and Pull requests for each
Repo.

## TODO
- [x] You can currently pin as many Issues as you want. Maybe we should
add a Limit, which is configurable. GitHub uses 3, but I prefer 6, as
this is better for bigger Projects, but I'm open for suggestions.
- [x] Pin and Unpin events need to be added to the Issue history.
- [x] Tests
- [x] Migration

**The feature itself is currently fully working, so tester who may find
weird edge cases are very welcome!**

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-25 15:17:19 +02:00