Template
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo synced 2024-12-05 02:54:46 +01:00
Commit graph

19071 commits

Author SHA1 Message Date
oliverpool
6cef23db1d [BUG] admin oauth2 source required check (#4194)
#4059 was unfortunately incomplete: some custom_url fields are currently shown, even if they are not used by the provider. Moreover the `Use Custom URLs Instead of Default URLs` is always checked by default.

Manual testing:
- go to http://localhost:3000/admin/auths
- click on `Add authentication source`
- Choose `Authentication type`: `OAuth2`
- Choose `OAuth2 provider`: `GitLab`
- verify that the `Use Custom URLs Instead of Default URLs` option is **initially unchecked**
- enable the `Use Custom URLs Instead of Default URLs` checkbox
- verify that only the fields "Authorize", "Token" and "Profile" URLs are shown (no "Email URL", nor "Tenant").
- Switch the `OAuth2 provider` to `Azure AD v2`
- verify that the `Use Custom URLs Instead of Default URLs` option is **initially checked**
- verify that only the field "Tenant" is shown (with the default "organizations").

![image](/attachments/0e2b1508-861c-4b0e-ae6a-6eb24ce94911)

Note: this is loosely based on the upstream fix https://github.com/go-gitea/gitea/pull/31246 which I initially overlooked.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4194
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
(cherry picked from commit 65f8c22cc7)
2024-06-21 06:22:03 +00:00
Earl Warren
664c8a99cb Merge pull request '[v7.0/forgejo] [SWAGGER] Make UserSettings definition an non-array' (#4184) from bp-v7.0/forgejo-5926ed1 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4184
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-19 09:55:17 +00:00
Earl Warren
cd7a0afc36 Merge pull request '[v7.0/backport] Update module github.com/gorilla/feeds to v1.2.0' (#4183) from earl-warren/forgejo:wip-v7.0-feed into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4183
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-06-19 06:45:24 +00:00
Gusted
dc228b4734 [SWAGGER] Make it consistent with reality
- Make the `UserSettings` definition an non-array, this is consistent
with the existing endpoints that uses this definition.
- Resolves #4179

(cherry picked from commit 5926ed1f73)
2024-06-19 06:40:17 +00:00
Earl Warren
74466215e4
[v7.0/backport] Update module github.com/gorilla/feeds to v1.2.0
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4166

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/gorilla/feeds](https://github.com/gorilla/feeds) | require | minor | `v1.1.2` -> `v1.2.0` |

---

<details>
<summary>gorilla/feeds (github.com/gorilla/feeds)</summary>

[Compare Source](https://github.com/gorilla/feeds/compare/v1.1.2...v1.2.0)

-   Add the `isPermaLink` attribute to `guid` in RSS by [@&#8203;yardenshoham](https://github.com/yardenshoham) in https://github.com/gorilla/feeds/pull/107

-   [@&#8203;yardenshoham](https://github.com/yardenshoham) made their first contribution in https://github.com/gorilla/feeds/pull/107

**Full Changelog**: https://github.com/gorilla/feeds/compare/v1.1.2...v1.2.0

</details>

---

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - "before 4am" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MDkuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQwOS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiXX0=-->
2024-06-19 08:11:44 +02:00
Earl Warren
6cb63e03e1 Merge pull request '[v7.0/forgejo] Port: Fix Activity Page Contributors dropdown (gitea#31264)' (#4177) from bp-v7.0/forgejo-3544746 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4177
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-18 20:31:41 +00:00
wxiaoguang
7b443b6b54 Fix Activity Page Contributors dropdown (#31264)
Fix #31261

(cherry picked from commit e728fd741be7848d476663eec1c9caaf34b46e61)
(cherry picked from commit 35447463ba)
2024-06-18 19:42:31 +00:00
Earl Warren
34c970d4e5 Merge pull request '[gitea] week 2024-25-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#4146) from earl-warren/wcp/2024-25-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4146
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-06-18 07:55:54 +00:00
Earl Warren
fa54833436 Merge pull request '[v7.0/forgejo] test(dump): don't depend on directory listing order' (#4162) from bp-v7.0/forgejo-230a677 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4162
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-17 19:29:24 +00:00
emilylange
f01dc4b271 test(dump): don't depend on directory listing order
cmd/dump.go uses os.Readdir to list the directory.

This is fine on its own, but TestAddRecursiveExclude in cmd/dump_test.go
depends on the order of the directory listing, which is where the issue
lays.

Directory listings using os.Readdir (lstat) don't actually guarantee an
order. They can differ due to a number of factors. Most notably the OS,
file system and settings.

As such, the test should not check the /order of the files/ added to the
archive, but instead simply check whether the archive /contains/ them.

So this is precisely what this commit does.

Note that only TestAddRecursiveExclude/File_inside_directory/No_exclude
has been observed to fail due to this, but all TestAddRecursiveExclude
subtests have been updated for consistency.

(cherry picked from commit 230a677c74)
2024-06-17 18:53:34 +00:00
Earl Warren
2d42dbc495 Merge pull request '[v7.0/forgejo] [BUG] admin authentication source JS errors' (#4159) from bp-v7.0/forgejo-82ae746 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4159
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-17 10:39:29 +00:00
oliverpool
715bedbde7 [BUG] admin authentication source JS errors (#4059)
While trying to understand #1236, I was quite confused not to see the `Use Custom URLs` checkbox.

This checkbox disappeared in b95a893b22 (because `getElementById` does not expect a `#` as first char), fixed in 4e816e1326.

After solving this, switching from `Nextcloud` to `OpenID Connect` triggered a JS error, which is addressed in 3efa4d836a.

Manual testing:
- go to http://localhost:3000/admin/auths
- click on `Add authentication source`
- Choose `Authentication type`: `OAuth2`
- Choose `OAuth2 provider`: `Nextcloud`
- check that the `Use Custom URLs Instead of Default URLs` checkbox toggles the fields below
- let the checkbox be checked
- Switch the `OAuth2 provider` to `OpenID Connect`
- ensure that no JS error is shown
- Switch the `OAuth2 provider` to `Mastodon`
- check that the fields below `Use Custom URLs Instead of Default URLs` have the right defaults (mastodon.social)

![2024-06-07-101638.png](/attachments/5bd6692e-3457-4dd8-b1c1-50e9a95a3100)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4059
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
(cherry picked from commit 82ae7460bf)
2024-06-17 10:06:34 +00:00
forgejo-backport-action
4549d9b920 [v7.0/forgejo] Fix bug in GetIssueStats (#4152)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4124

Co-authored-by: JakobDev <jakobdev@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4152
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-06-16 19:06:43 +00:00
Earl Warren
1f4c5cd1cb Merge pull request '[v7.0/forgejo] fix(repository): git push to an adopted repository fails' (#4151) from bp-v7.0/forgejo-8efef06 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4151
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-16 18:51:43 +00:00
Lunny Xiao
e953bce5d7 fix(repository): git push to an adopted repository fails
Fix adopt repository has empty object name in database (#31333)

Fix #31330
Fix #31311

A workaround to fix the old database is to update object_format_name to
`sha1` if it's empty or null.

(cherry picked from commit 1968c2222dcf47ebd1697afb4e79a81e74702d31)

With tests services/repository/adopt_test.go

(cherry picked from commit 8efef06fb1)
2024-06-16 18:15:02 +00:00
Giteabot
5233f5f3e5
Fix hash render end with colon (#31319) (#31346)
Backport #31319 by @lunny

Fix a hash render problem like `<hash>: xxxxx` which is usually used in
release notes.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 6ca70c5bf20fc6b3a7d98d784f48b5a503962339)
2024-06-16 11:29:57 +02:00
Giteabot
3b4405aece
Delete legacy cookie before setting new cookie (#31306) (#31317)
Backport #31306 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 3fcf865a4bef6f73149984090304f3d64af2a0e1)
2024-06-16 11:23:02 +02:00
6543
2d43c94898
Add nix flake for dev shell (#30967) (#31310)
Backport #30967

(cherry picked from commit abc92df701bbae8b5d1d98ba91b609d03ce4d7b5)
2024-06-16 11:13:47 +02:00
0ko
e997cbc8d5 Rename repo_updated to repo_updated_v7 to prevent regressions (#4117)
Currently this string has different amount of placeholders in v8 and v7 because https://codeberg.org/forgejo/forgejo/pulls/3837 was not backported to v7.

### The problem

This string is currently [not translated](https://translate.codeberg.org/translate/forgejo/forgejo/en/?checksum=405b09ee2c2371d4) in every language. For example, when UI is in Slovenian, it would be in English.
But if someone translates it into Slovenian, it will be something like `Posodobljen %s`. Then we merge the Weblate PR, @forgejo-backport-action creates a backport and we forget to check this backport for presence of `repo_updated`. We ship this as a point release of our LTS v7, and then Slovenian users will literally see `Posodobljen %s` in the UI instead of `Posodobljen včeraj`.

By renaming this key in v7 we protect it from these kinds of regressions.

### Test

Go to Explore, look at repo entries, they should contain relative time.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4117
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-06-14 13:26:46 +00:00
Earl Warren
5c59a1347a Merge pull request '[v7.0/forgejo] Minor improvements to English locale' (#4114) from 0ko/forgejo:i18n-backport-20240612 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4114
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-12 07:11:49 +00:00
0ko
4c5d0495a1 [I18N] Minor improvements to English locale 2024-06-12 09:47:23 +05:00
Earl Warren
d497551151 Merge pull request '[v7.0/forgejo] Fix margin above headline in rendered org-mode' (#4107) from bp-v7.0/forgejo-187860b into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4107
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-06-11 19:22:11 +00:00
Beowulf
bfa98d56fa Fix margin above headline in rendered org-mode (#4076)
This Fixes #3962 by adding `!important` to the margin of the heading in the rendered markdown.

In the current behaviour, the margin-top was always overridden by a global css-rule. This is prevented by this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4076
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
(cherry picked from commit 187860bded)
2024-06-11 16:34:03 +00:00
Earl Warren
f132e98d12 Merge pull request '[gitea] week 2024-24-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#4084) from earl-warren/wcp/2024-24-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4084
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-06-11 10:37:57 +00:00
forgejo-backport-action
6c570bc3bd [v7.0/forgejo] Org buttons add missing vertical padding (#4088)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/3964

This adds the missing vertical padding between the new repository and new migration button.

| Before | After (btns horizontal) | After (btns vertical) |
| -- | -- | -- |
| ![](/attachments/4f74c5c5-ccc7-4b57-936b-09e3a226c170) | <img width="293" alt="grafik" src="/attachments/560a0e85-3453-4357-bca0-75b1cbdfe658">  | <img width="284" alt="grafik" src="/attachments/2be0383b-2d44-48ef-8a35-1bd143ef044c"> |

## Manual test steps:

- Open org page
- Resize window
- Check padding

Co-authored-by: Beowulf <beowulf@beocode.eu>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4088
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-06-11 06:26:07 +00:00
Earl Warren
4574f776c6 Merge pull request '[I18N] Translations update from Weblate' (#4099) from 0ko/forgejo:i18n-backport-20240610 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4099
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-10 19:47:36 +00:00
Codeberg Translate
9e3c465b77 [I18N] Translations update from Weblate
Translations update from [Weblate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: Dirk <Dirk@users.noreply.translate.codeberg.org>
Co-authored-by: yeziruo <yeziruo@users.noreply.translate.codeberg.org>
Co-authored-by: Xinayder <Xinayder@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: qwerty287 <qwerty287@users.noreply.translate.codeberg.org>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Co-authored-by: Kaede Fujisaki <ledyba@users.noreply.translate.codeberg.org>
Co-authored-by: SDKAAA <SDKAAA@users.noreply.translate.codeberg.org>
Co-authored-by: leana8959 <leana8959@users.noreply.translate.codeberg.org>
Co-authored-by: mondstern <mondstern@users.noreply.translate.codeberg.org>
Co-authored-by: Application-Maker <Application-Maker@users.noreply.translate.codeberg.org>
Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3992
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>

(cherry-picked from ea5f7f0848)

Fixed key change conflicts in: cz de ru sl.
2024-06-10 23:53:19 +05:00
Earl Warren
080da5bca9 Merge pull request '[v7.0/forgejo] fix(cmd): actions artifacts cannot be migrated' (#4086) from bp-v7.0/forgejo-e759794-4afbfd3 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4086
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-09 15:36:38 +00:00
Earl Warren
43cd6e34e0 tests(cmd): add coverage for migrateActionsArtifacts
Also convert a comment into a warning in the logs when the deletion of
an artifact cannot find the file in the destination storage.

The case were an error happens while deleting the file is not covered
as it would require to mock the storage.Copy function.

(cherry picked from commit e759794408)
2024-06-09 14:55:01 +00:00
Rowan Bohde
ab66bfff91 fix: allow actions artifacts storage migration to complete succesfully (#31251)
Change the copy to use `ActionsArtifact.StoragePath` instead of the
`ArtifactPath`. Skip artifacts that are expired, and don't error if the
file to copy does not exist.

---

When trying to migrate actions artifact storage from local to MinIO, we
encountered errors that prevented the process from completing
successfully:

* The migration tries to copy the files using the per-run
`ArtifactPath`, instead of the unique `StoragePath`.
* Artifacts that have been marked expired and had their files deleted
would throw an error
* Artifacts that are pending, but don't have a file uploaded yet will
throw an error.

This PR addresses these cases, and allow the process to complete
successfully.

(cherry picked from commit 8de8972baf5d82ff7b58ed77d78e8e1869e64eb5)
(cherry picked from commit 4afbfd3946)
2024-06-09 14:55:01 +00:00
wxiaoguang
816e77485f
Fix some URLs whose sub-path is missing (#31289)
Fix #31285

(cherry picked from commit 0188d82e4908eb173f7203d577f801f3168ffcb8)

Conflicts:
	templates/user/settings/applications.tmpl
(cherry picked from commit 3723d8c32059a571b84dc8636cb3649be6e6f1b3)

Conflicts:
	templates/user/settings/applications.tmpl
	trivial context conflict <i> vs <p>

(cherry picked from commit bbe98a3254e65eb8b9ec8fddf5e0ffe416a96614)
2024-06-09 12:05:43 +02:00
Giteabot
67fd0cea1b
Optimize runner-tags layout to enhance visual experience (#31258) (#31263)
Backport #31258 by @kerwin612

![image](https://github.com/go-gitea/gitea/assets/3371163/b8199005-94f2-45be-8ca9-4fa1b3f221b2)

Co-authored-by: Kerwin Bryant <kerwin612@qq.com>
(cherry picked from commit 83cf348e07fa83070d8a50d7d96943de08104fd4)
2024-06-09 11:57:05 +02:00
Thomas Desveaux
f8774e3611
Fix NuGet Package API for $filter with Id equality (#31188) (#31242)
Backport #31188

Fixes issue when running `choco info pkgname` where `pkgname` is also a
substring of another package Id.

Relates to #31168

---

This might fix the issue linked, but I'd like to test it with more choco
commands before closing the issue in case I find other problems if
that's ok.
I'm pretty inexperienced with Go, so feel free to nitpick things.

Not sure I handled
[this](70f87e11b5/routers/api/packages/nuget/nuget.go (L135-L137))
in the best way, so looking for feedback on if I should fix the
underlying issue (`nil` might be a better default for `Value`?).

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit ca414a7ccf5e26272662e360c44ac50221a0f2d4)
2024-06-09 11:49:18 +02:00
Giteabot
9f89724324
Fix overflow on push notification (#31179) (#31238)
Backport #31179 by @silverwind

Fixes: https://github.com/go-gitea/gitea/issues/30063

<img width="1301" alt="Screenshot 2024-05-30 at 14 43 24"
src="https://github.com/go-gitea/gitea/assets/115237/00443af0-088d-49a5-be9e-8c9adcc2c01d">

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 331c32f9b680f0e25efe5d48ec57dfc1db194adf)
2024-06-09 11:48:07 +02:00
Giteabot
568300cf6b
Remove .segment from .project-column (#31204) (#31239)
Backport #31204 by @silverwind

Using `.segment` on the project columns is a major abuse of that class,
so remove it and instead set the border-radius directly on it.

Fixes: https://github.com/go-gitea/gitea/issues/31129

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 298d05df3b79634a0364926f34fb02b73d442c31)
2024-06-09 11:47:34 +02:00
Giteabot
5a2904166e
Fix overflow on notifications (#31178) (#31237)
Backport #31178 by @silverwind

Fixes https://github.com/go-gitea/gitea/issues/31170.

<img width="1312" alt="image"
src="https://github.com/go-gitea/gitea/assets/115237/627711ed-93ca-4be6-b958-10d673ae9517">

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 85a81767083efd49bf675b3de30de5421ab2ae69)
2024-06-09 11:46:37 +02:00
Earl Warren
874dde0d4c Merge pull request '[v7.0/forgejo] RFC 6749 Section 10.2 conformance' (#4046) from bp-v7.0/forgejo-5924694 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4046
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-06 11:55:55 +00:00
Denys Konovalov
0c770d528f
use existing oauth grant for public client (#31015)
Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.

Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9c8c9ff6d10b35de8d2d7eae0fc2646ad9bbe94a)
(cherry picked from commit 07fe5a8b13)
2024-06-06 12:05:50 +02:00
Archer
a228ab3ab2
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
2024-06-06 12:05:37 +02:00
Earl Warren
8f88817c00 test(oauth): RFC 6749 Section 10.2 conformance
See:

1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client

(cherry picked from commit 592469464b)
2024-06-06 10:01:56 +00:00
Earl Warren
71c4eee50d Merge pull request '[v7.0/forgejo] chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406' (#4035) from earl-warren/forgejo:wip-v7.0-archiver into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4035
Reviewed-by: proton-ab <proton-ab@noreply.codeberg.org>
2024-06-05 22:17:19 +00:00
Earl Warren
e7977767fa
chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)

Conflicts:
	go.sum
	trivial context conflict
2024-06-05 22:19:30 +02:00
Earl Warren
e17e243624 Merge pull request '[v7.0/forgejo] test(oauth): coverage for the redirection of a denied grant' (#4029) from bp-v7.0/forgejo-32c882a into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4029
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 17:17:29 +00:00
Earl Warren
a930cb847a Merge pull request '[v7.0/forgejo] fix(oauth): HTML snippets in templates can be displayed' (#4031) from bp-v7.0/forgejo-caadd18 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4031
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 16:03:15 +00:00
Earl Warren
32673ad6a6 Merge pull request '[v7.0/forgejo] test(avatar): deleting a user avatar and file is atomic' (#4017) from bp-v7.0/forgejo-c139efb-20148e0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4017
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 15:27:58 +00:00
Zettat123
d841e95191
Return access_denied error when an OAuth2 request is denied (#30974)
According to [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1),
when the resource owner or authorization server denied an request, an
`access_denied` error should be returned. But currently in this case
Gitea does not return any error.

For example, if the user clicks "Cancel" here, an `access_denied` error
should be returned.

<img width="360px"
src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5"
/>

(cherry picked from commit f1d9f18d96050d89a4085c961f572f07b1e653d1)
(cherry picked from commit 886a675f62)
2024-06-05 17:19:22 +02:00
Earl Warren
f1301542b8 fix(oauth): HTML snippets in templates can be displayed
These changes were missed when cherry-picking the following

c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319)

Fixes: https://codeberg.org/forgejo/forgejo/issues/3623
(cherry picked from commit caadd1815a)
2024-06-05 15:18:43 +00:00
Earl Warren
40bf161ff0 test(oauth): coverage for the redirection of a denied grant
See 886a675f62 Return `access_denied` error when an OAuth2 request is denied

(cherry picked from commit 32c882af91)
2024-06-05 14:19:38 +00:00
Earl Warren
cf2d8b57ae
test(avatar): deleting a user avatar is idempotent
If the avatar file in storage does not exist, it is not an error and
the database can be updated.

See 1be797faba Fix bug on avatar

(cherry picked from commit d2c4d833f4)
2024-06-05 16:02:24 +02:00
Lunny Xiao
32d8ada0e7
Fix bug on avatar (#31008)
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 58a03e9fadb345de5653345c2a68ecfd0750940a)
(cherry picked from commit 1be797faba)
2024-06-05 08:04:10 +02:00