Commit graph

19016 commits

Author SHA1 Message Date
Gergely Nagy
8eba631f8d
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-19 16:53:14 +02:00
0ko
67d6c674df Merge pull request 'Remove EasyMDE from various areas' (#2916) from 0ko/forgejo:easymde into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2916
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-19 13:48:34 +00:00
Earl Warren
b05a7809b5 Merge pull request 'fix(tests): 30s to cancel processes to avoid false negatives' (#3317) from earl-warren/forgejo:wip-cancel-test into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3317
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-04-19 12:48:41 +00:00
Earl Warren
0342b7fdcd Merge pull request '[RELEASE] v1.21.11-1 release notes' (#3330) from earl-warren/forgejo:wip-release-notes-1.21 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3330
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-04-19 11:49:03 +00:00
Earl Warren
af7decae18 Merge pull request 'Update citation-js monorepo to v0.7.11' (#3321) from renovate/citation-js-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3321
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-19 11:08:57 +00:00
Earl Warren
080f1e8250
[RELEASE] v1.21.11-1 release notes 2024-04-19 13:00:57 +02:00
Gusted
b6992ed6b9 Merge pull request 'services: Use proper Message-IDs for release mails' (#3309) from algernon/forgejo:are-we-dot-atom-text-yet into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3309
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-19 08:35:17 +00:00
Renovate Bot
82ec2a65e0 Update citation-js monorepo to v0.7.11 2024-04-19 00:02:54 +00:00
Earl Warren
9a80f6b57e Merge pull request 'v1.21.11-0 release notes' (#3287) from crystal/forgejo:pr/releasenotes-1.21.11-0 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3287
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-18 20:14:21 +00:00
Earl Warren
77843135b0
slight wording change and most serious fix first 2024-04-18 21:57:53 +02:00
crystal
2b2c0f1ae2
add security fixes details, link to compare 2024-04-18 12:37:59 -06:00
Earl Warren
d335a3330f Merge pull request 'ci(renovate): fix step names (take 2)' (#3318) from earl-warren/forgejo:wip-renovate-run into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3318
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-18 18:17:16 +00:00
Earl Warren
9303f8e72d
ci(renovate): fix step names (take 2) 2024-04-18 20:08:27 +02:00
Earl Warren
6316e21be2
fix(tests): 30s to cancel processes to avoid false negatives
on slower machines it can take more than 1 second to cancel leftover
tasks
2024-04-18 18:47:49 +02:00
Otto Richter
87d4746f5e Rename button to "Finish Review"
Motivation: The meaning of the button is apparent from the visual
position and the number icon. This is not exposed to a screenreader.
Naming it to "Finish Review" helps with to provide the meaning of the
button as well as the number in the label.
2024-04-18 16:21:30 +02:00
Otto Richter
187e10d8c9 Fix unlabelled button in code review 2024-04-18 16:20:29 +02:00
Earl Warren
c7b8a434c3 Merge pull request 'ci(renovate): fix step names' (#3311) from viceice/forgejo:ci/renovate/fix-step-names into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3311
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-18 14:04:19 +00:00
Earl Warren
b58474173a Merge pull request 'Update ghcr.io/visualon/renovate Docker tag to v37.305.0' (#3312) from renovate/ghcr.io-visualon-renovate-37.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3312
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-18 13:54:22 +00:00
crystal
95fa27374b
typo 2024-04-18 07:27:48 -06:00
Gergely Nagy
b0c0167c54
services: Use proper Message-IDs for release mails
When sending notification emails about a release, use a properly
formatted, RFC-compliant message id, rather than the release's HTML URL
wrapped in angle brackets (which would not be compliant).

Fixes #3105.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-18 13:44:18 +02:00
Renovate Bot
0f078ba4c9 Update ghcr.io/visualon/renovate Docker tag to v37.305.0 2024-04-18 11:25:53 +00:00
Michael Kriese
1f4915692b
ci(renovate): fix step names 2024-04-18 13:22:51 +02:00
Renovate Bot
ca2473e895 Update ghcr.io/visualon/renovate Docker tag to v37.303.2 2024-04-17 16:05:21 +00:00
Earl Warren
bc3e66097c Merge pull request 'fix(release): add missing ARG RELEASE_VERSION' (#3290) from earl-warren/forgejo:wip-oci-labels into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3290
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 15:51:36 +00:00
Earl Warren
97189d41f3
fix(release): add missing ARG RELEASE_VERSION
The ARG RELEASE_VERSION set in the build-env image does not propagate
to the images that follow. As a result the value of the version label
is always empty.

This should have been caught by the test in the CI but although it
notified the problem in the output, it did not fail. Upgrade to the
forgejo-build-publish version that fixes this false positive.
2024-04-17 17:16:53 +02:00
crystal
0ff5be49ab
[RELEASE] v1.21.11-0 release notes 2024-04-17 05:45:41 -06:00
Earl Warren
d07f12e010 Merge pull request 'Do not require login_name & source_id for /admin/user/{username}' (#3278) from algernon/forgejo:leave-your-name-at-the-door into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3278
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 11:05:13 +00:00
Mai-Lapyst
5b6b3f3fb3
Fix some edge cases; closes #3232
- Fixes wrong usage of AppURL
- Fixes wrong rendering with extra path segments when AppSubURL is empty
- Now also renders all links when 2+ permalinks are present
2024-04-17 13:02:48 +02:00
Earl Warren
618e517d4c Merge pull request 'Update dependency vue to v3.4.23' (#3280) from renovate/vue-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3280
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 10:32:43 +00:00
Earl Warren
c2f2858363 Merge pull request 'chore(renovate): schedule some deps quarterly' (#3284) from viceice/forgejo:chore/renovate-schedule into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3284
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 10:16:50 +00:00
Gergely Nagy
d07c8c821c
Do not require login_name & source_id for /admin/user/{username}
When editing a user via the API, do not require setting `login_name` or
`source_id`: for local accounts, these do not matter. However, when
editing a non-local account, require *both*, as before.

Fixes #1861.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-17 10:33:52 +02:00
Michael Kriese
bb0daa9522
chore(renovate): schedule some deps quarterly 2024-04-17 09:24:59 +02:00
Earl Warren
e4aa7bd511 Merge pull request 'webhook: improve UX for sourcehut and matrix' (#3156) from oliverpool/forgejo:webhook_sourcehut_polish into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3156
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 06:39:54 +00:00
Gergely Nagy
ea4071ca9f Allow admins to fork repos even when creation limits are exhausted (#3277)
This is a continuation of #2728, with a test case added.

Fixes #2633.

I kept @zareck 's commit as is, because I believe it is correct. We can't move the check to `owner.CanForkRepo()`, because `owner` is the future owner of the forked repo, and may be an organization. We need to check the admin permission of the `doer`, like in the case of repository creation.

I verified that the test fails without the `ForkRepository` change, and passes with it.

Co-authored-by: Cassio Zareck <cassiomilczareck@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3277
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-17 05:52:02 +00:00
Earl Warren
33d0617538 Merge pull request 'feat(release): add OCI labels to container images' (#3261) from earl-warren/forgejo:wip-oci-labels into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3261
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-04-17 05:46:36 +00:00
Earl Warren
a003691c7b Merge pull request 'Allow changing global wiki editability via the API' (#3276) from algernon/forgejo:let-the-api-control-your-wiki-editability into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3276
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-17 05:46:10 +00:00
Renovate Bot
a5c0643d13 Update dependency vue to v3.4.23 2024-04-17 00:04:27 +00:00
Gusted
787bc6ed94 Merge pull request 'Update dependency @stylistic/eslint-plugin-js to v1.7.2' (#3251) from renovate/stylistic-eslint-plugin-js-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3251
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-16 20:59:10 +00:00
Gergely Nagy
df8e58c5cb
Allow changing global wiki editability via the API
The global wiki editability can be set via the web UI, this patch makes
it possible to set the same thing via the API too. This is accomplished
by adjusting the GET and PATCH handlers of the
`/api/v1/repos/{owner}/{repo}` route.

The first will include the property when checking the repo's settings,
the second allows a repo admin to change the setting too.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-16 22:51:36 +02:00
oliverpool
ada8bfa52f Merge pull request 'Fix release published actions not triggering for releases created from existing tags' (#3220) from zotan/forgejo:forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3220
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 18:27:59 +00:00
Laura Hausmann
8506dbe2e5
Add tests for webhook release events
Co-authored-by: oliverpool <git@olivier.pfad.fr>
2024-04-16 19:25:26 +02:00
Earl Warren
a5a0fc7344 Merge pull request '[BUG] Escape editor.add_tmpl translation' (#3269) from gusted/forgejo-escape-tr into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3269
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 16:19:47 +00:00
Earl Warren
028d19c0fe
feat(release): add OCI labels to container images 2024-04-16 17:50:57 +02:00
Earl Warren
a76f71a648 Merge pull request '[BUG] Fix styling of close button' (#3267) from gusted/forgejo-theme-reg into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3267
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-04-16 15:18:03 +00:00
Gusted
a0f47b8de7
[BUG] Escape editor.add_tmpl translation
- Previously translations were escaped, but now translations are
accepted as-is and will be rendered as HTML. Use `TrString` to escape
the translation value.
- Adds integration test.
- Regression of 65248945c9.
- Resolves #3260
2024-04-16 15:50:49 +02:00
oliverpool
df042909bb Merge pull request '[Port] container.FilterSlice function (gitea#30339 & gitea#30370)' (#3264) from oliverpool/forgejo:port_30339 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3264
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-16 13:12:11 +00:00
Earl Warren
9aa430268b Merge pull request 'Add commit status summary table to reduce query from commit status table' (#3245) from viceice/forgejo:feat/commit-status-summary into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3245
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 12:22:49 +00:00
0ko
41ab13c14f Various improvements to pages: notifications and subscriptions
- fix rounding on /notifications/subscriptions
- add navigation interconnectivity between notifications and subscriptions
- use modern style for tabs
- clearing notificatons: hide the whole form instead of div. It doesn't seem like its changed via JS?
- replace issue-title-buttons and edit-buttons with universal top-right-buttons, get rid of tw-mr-0 helpers
- repo issues: fix misalignments on mobile view
2024-04-16 15:29:28 +05:00
Gusted
7fcb9c3636
[BUG] Fix styling of close button
- This is a partial revert of c2280a2009,
it was already fixed upstream, but not for the `.basic` variant.
- Resolves #3252
2024-04-16 12:25:09 +02:00
Earl Warren
4fc06cfd78 Merge pull request '[PORT] gitea#30139: Refactor markdown render' (#3259) from algernon/forgejo:gitea/port/30139 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3259
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-16 10:08:52 +00:00