Commit graph

20106 commits

Author SHA1 Message Date
Renovate Bot
1148206fc8 Update dependency swagger-ui-dist to v5.17.7 2024-05-10 00:08:05 +00:00
Earl Warren
e49e0ebe56 Merge pull request 'Fix some 7.0 missing variables' (#3685) from 0ko/forgejo:ui-var-fixes into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3685
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 18:42:42 +00:00
Earl Warren
456b82d2bb Merge pull request '[PORT] gitea#29674: Add result check in TestAPIEditUser' (#3686) from algernon/forgejo:gitea/port/29674 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3686
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 18:35:29 +00:00
Earl Warren
15fe4fd175 Merge pull request 'Teach activities.GetFeeds() how to avoid returning duplicates' (#3598) from algernon/forgejo:action-inaction-reaction into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3598
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 18:33:21 +00:00
yp05327
f81890fa95
Add result check in TestAPIEditUser (#29674)
Fix #29514
There are too many usage of `NewRequestWithValues`, so there's no need
to check all of them.
Just one is enough I think.

(cherry picked from commit ecd1d96f494d2400f7659165ff9376354edda395)

Conflicts:
	- tests/integration/api_admin_test.go
	  Conflict resolved by manually applying the change to
	  `full_name`.
2024-05-09 19:26:21 +02:00
0ko
0dc35c9df9 [THEME] Fix some 7.0 missing variables 2024-05-09 21:58:23 +05:00
Gergely Nagy
9cb2aa989a
Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-09 18:33:33 +02:00
Yaroslav Halchenko
2b2fd2728c Add codespell support and fix a good number of typos with its help (#3270)
More about codespell: https://github.com/codespell-project/codespell .

I personally introduced it to dozens if not hundreds of projects already and so far only positive feedback.

```
❯ grep lint-spell Makefile
	@echo " - lint-spell                       lint spelling"
	@echo " - lint-spell-fix                   lint spelling and fix issues"
lint: lint-frontend lint-backend lint-spell
lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix
.PHONY: lint-spell
lint-spell: lint-codespell
.PHONY: lint-spell-fix
lint-spell-fix: lint-codespell-fix
❯ git grep lint- -- .forgejo/
.forgejo/workflows/testing.yml:      - run: make --always-make -j$(nproc) lint-backend checks-backend # ensure the "go-licenses" make target runs
.forgejo/workflows/testing.yml:      - run: make lint-frontend
```
so how would you like me to invoke `lint-codespell` on CI? (without that would be IMHO very suboptimal and let typos sneak in)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Yaroslav Halchenko <debian@onerussian.com>
Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-05-09 13:49:37 +00:00
Earl Warren
06843c1cdc Merge pull request 'Update dependency swagger-ui-dist to v5.17.6' (#3679) from renovate/swagger-ui-dist-5.17.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3679
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:21:21 +00:00
Earl Warren
326d5e6b63 Merge pull request 'Update dependency vue to v3.4.27' (#3680) from renovate/patch-vue-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3680
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:20:21 +00:00
Earl Warren
2ecdffd65c Merge pull request 'Update dependency @playwright/test to v1.44.0' (#3684) from renovate/playwright-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3684
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-09 07:17:13 +00:00
Renovate Bot
e89e253636 Update dependency @playwright/test to v1.44.0 2024-05-09 02:05:43 +00:00
Renovate Bot
15c0878084 Update dependency vue to v3.4.27 2024-05-09 00:06:36 +00:00
Renovate Bot
e71f8b8f7b Update dependency swagger-ui-dist to v5.17.6 2024-05-09 00:06:13 +00:00
Earl Warren
996dbdb0b4 Merge pull request 'Update ghcr.io/visualon/renovate Docker tag to v37.351.2' (#3646) from renovate/ghcr.io-visualon-renovate-37.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3646
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 22:07:13 +00:00
Earl Warren
9ac8bc9328 Merge pull request 'Update module github.com/blevesearch/bleve/v2 to v2.4.0' (#3647) from renovate/github.com-blevesearch-bleve-v2-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3647
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 21:34:21 +00:00
Gergely Nagy
f4dd53d79d Fix an incorrect form submission in repo-issue.js (#3675)
This fixes `initRepoPullRequestAllowMaintainerEdit()` to submit the form correctly (as a web form, rather than as JSON payload).

Fixes #3618, cherry picked from gitea#30854.

Co-Authored-By: wxiaoguang <wxiaoguang@gmail.com>

---

Manual testing steps:

- Open a PR against any repository, with the "Allow edits from maintainers" option checked.
- Open the developer console (`Ctrl-Shift-I` on Firefox), and look at the Network tab.
- Visit the PR, find the "Allow edits from maintainers" checkbox, and click it.
- See the developer console, and check that the response says the setting is false.
- Refresh the page *completely* (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is off.
- Click the box again to enable it.
- See the developer console, and check that the response says the setting is true.
- Reload without cache again (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is now on.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3675
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-08 21:14:46 +00:00
Renovate Bot
8e1a6d8e73 Update ghcr.io/visualon/renovate Docker tag to v37.351.2 2024-05-08 20:05:21 +00:00
Earl Warren
d3e02eaa89 chore(licenses): make go-license 2024-05-08 19:31:56 +00:00
Renovate Bot
4bff06dafb Update module github.com/blevesearch/bleve/v2 to v2.4.0 2024-05-08 19:31:56 +00:00
Earl Warren
18c8ae844e Merge pull request 'chore(dependency): automerge all JavaScript CI dependencies' (#3676) from earl-warren/forgejo:wip-ci-renovate into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3676
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-05-08 19:31:01 +00:00
Earl Warren
4af9d9b6c3 Merge pull request 'Update dependency @stylistic/eslint-plugin-js to v1.8.1' (#3666) from renovate/linters into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3666
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:45:20 +00:00
Earl Warren
bfe4995ed5 Merge pull request 'Update dependency @vue/test-utils to v2.4.6' (#3667) from renovate/vue-test-utils-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3667
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:44:26 +00:00
Earl Warren
d4bb667051
chore(dependency): automerge all JavaScript CI dependencies
Make a pass to have a full inventory of JavaScript dependencies that
can be automerged because they only have an impact on the CI. It is
easier than to examine them one by one when an update is proposed.

- add packages:test which indirectly includes packages:jsUnitTest and
  a number of test dependencies such as vitest
- add prefixes for dependencies which are known to be exclusively
  used for testing (playwright, ...)
- add modules

Refs: https://docs.renovatebot.com/presets-packages
2024-05-08 19:32:24 +02:00
Earl Warren
1c3c773dac Merge pull request 'Cumulative English improvements (May 2024)' (#3668) from 0ko/forgejo:i18n-20240508 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3668
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-08 17:04:21 +00:00
Renovate Bot
7105e19468 Update dependency @stylistic/eslint-plugin-js to v1.8.1 2024-05-08 16:03:56 +00:00
Earl Warren
7729cb3ecc Merge pull request 'fix(security): CVE-2024-24788 malformed DNS message' (#3671) from earl-warren/forgejo:wip-go-1.22.3 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3671
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-05-08 14:44:52 +00:00
Earl Warren
f3045f0519
fix(security): CVE-2024-24788 malformed DNS message
Refs: https://pkg.go.dev/vuln/GO-2024-2824
2024-05-08 14:25:08 +02:00
0ko
b11eddfaa8 [I18N] English improvements (May 2024)
- `editor.commit_id_not_matching` was reported by https://codeberg.org/kita. I confirmed the meaning on next.forgejo.org.
- `additional_repo_units_hint` was suggested by https://codeberg.org/leana8959.
2024-05-08 08:58:25 +05:00
Renovate Bot
84224a65ff Update dependency @vue/test-utils to v2.4.6 2024-05-08 02:05:00 +00:00
Earl Warren
a2c8fe0370 Merge pull request '[gitea] week 2024-19 cherry pick (gitea-github/main -> forgejo)' (#3639) from earl-warren/wcp/2024-19 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3639
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
2024-05-07 22:47:53 +00:00
Michael Jerger
778dd81615 unused code of the moment 2024-05-07 18:40:27 +02:00
Michael Jerger
1a76664d56 next step on the way to federation 2024-05-07 17:58:13 +02:00
Earl Warren
99d1ae52fc Merge pull request 'Update module github.com/PuerkitoBio/goquery to v1.9.2' (#3634) from renovate/github.com-puerkitobio-goquery-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3634
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-07 11:28:32 +00:00
Earl Warren
cae4a5456f
chore(dependency): automerge goquery when the CI passes 2024-05-07 11:57:25 +01:00
Earl Warren
3f6e4af5a9 Merge pull request 'UI: Hide hidden email from own profile, again' (#3636) from n0toose/profile/hide-unhidden-hidden-email into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3636
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-07 10:39:01 +00:00
Earl Warren
420f017bce Merge pull request 'Update module github.com/cosmtrek/air to v1.52.0' (#3650) from renovate/github.com-cosmtrek-air-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3650
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-07 10:10:41 +00:00
Twenty Panda
44895011dc chore(dependencies): switch to air@v1
there are no tests but since Gitea uses @v1 since last month and Gitea
maintainers rely on make watch, it is safe to assume that upgrading is
not broken. Switching to v1 would require less scrutiny on the
upgrades. Even if there is breakage, it can be fixed with minimal
impact on the developer workflow.
2024-05-07 10:11:21 +01:00
Michael Jerger
2177d38e9c feat(federation): validate like activities (#3494)
First step on the way to #1680

The PR will

* accept like request on the api
* validate activity in a first level

You can find

* architecture at: https://codeberg.org/meissa/forgejo/src/branch/forgejo-federated-star/docs/unsure-where-to-put/federation-architecture.md

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3494
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
2024-05-07 07:59:49 +00:00
0ko
8c3511a8b3 Merge pull request 'Allow org members to navigate between the org and the dashboard' (#3642) from 0ko/forgejo:ui-add-org-dashboard-goto into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3642
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-05-06 03:50:47 +00:00
Renovate Bot
62c3540467 Update module github.com/cosmtrek/air to v1.52.0 2024-05-06 02:05:34 +00:00
0ko
b034ab5a8e [UI] Allow org members to navigate between the org and the dashboard
- add a new button to the org view that is only shown to the org members
- add integration test to verify the expected navigatability
- add a new translation string to that button
- fix display style of "View <orgname>" button on the dashboard
- fix gap size between buttons on the org view by utilizing the common class top-right-buttons
2024-05-05 23:14:57 +05:00
Earl Warren
434ef46088 Merge pull request 'Update module gitea.com/go-chi/binding to v0.0.0-20240430071103-39a851e106ed' (#3597) from renovate/gitea.com-go-chi-binding-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3597
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-05 12:15:39 +00:00
Earl Warren
308304e4a4 Merge pull request 'Improve repo filter names' (#3612) from 0ko/forgejo:i18n-filters into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3612
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-05 12:13:40 +00:00
Kemal Zebari
e388822e9d
Don't only list code-enabled repositories when using repository API (#30817)
We should be listing all repositories by default.

Fixes #28483.

(cherry picked from commit 9f0ef3621a3b63ccbe93f302a446b67dc54ad725)

Conflict:
   -		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead {
   +		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.HasAccess() {
   because of https://codeberg.org/forgejo/forgejo/pulls/2001
2024-05-05 12:15:40 +01:00
yp05327
6a4bc0289d
Fix no edit history after editing issue's title and content (#30814)
Fix #30807

reuse functions in services

(cherry picked from commit a50026e2f30897904704895362da0fb12c7e5b26)

Conflicts:
	models/issues/issue_update.go
	routers/api/v1/repo/issue.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
2024-05-05 12:15:40 +01:00
wxiaoguang
d93d62371c
Ignore useless error message "broken pipe" (#30801)
Fix #30792

(cherry picked from commit 53b55223d167c3fc996dd0278a656f421408ace7)
2024-05-05 12:15:40 +01:00
Bo-Yi Wu
b29190c4f0
refactor: merge ListActionTasks func to action.go file (#30811)
Just merge actions.go file to action.go

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
(cherry picked from commit e67fbe4f15cdc544f6bec975de6560556724f098)
2024-05-05 12:15:40 +01:00
Archer
1b088fade6
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
2024-05-05 12:15:40 +01:00
Kemal Zebari
9cd0441cd3
Catch and handle unallowed file type errors in issue attachment API (#30791)
Before, we would just throw 500 if a user passes an attachment that is
not an allowed type. This commit catches this error and throws a 422
instead since this should be considered a validation error.

(cherry picked from commit 872caa17c0a30d95f85ab75c068d606e07bd10b3)

Conflicts:
	tests/integration/api_comment_attachment_test.go
	tests/integration/api_issue_attachment_test.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
2024-05-05 12:15:40 +01:00