Template
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo synced 2024-11-30 22:06:11 +01:00
Commit graph

4094 commits

Author SHA1 Message Date
Lunny Xiao 7aa1e1a54d
Do some missing checks (#28423)
(cherry picked from commit 717d0f5934)

Conflicts:
	routers/api/v1/api.go
	trivial contextual conflict
2023-12-12 22:25:17 +01:00
Loïc Dachary 92450913a8
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit d97efb777f)
2023-11-26 06:50:26 +01:00
Loïc Dachary 9ea9ba8e7e
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit a82cb96480)
2023-11-26 06:48:49 +01:00
Lunny Xiao db0d71ec0f
Fix comment permissions (#28213) (#28217)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit dfd511faf3)
2023-11-26 06:35:50 +01:00
Loïc Dachary a7a9876dd4
Revert "enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned"
This reverts commit c70eb32280.
2023-11-26 06:34:40 +01:00
Loïc Dachary 140dbb3918
Revert "enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues"
This reverts commit 6b4cb070cc.
2023-11-26 06:34:40 +01:00
Loïc Dachary d2de912c95
Revert "fix API usage of a PR index in place of issue index and vice versa"
This reverts commit 3ddfca10ac.
2023-11-26 06:34:40 +01:00
Loïc Dachary 4ece6a4b19
Revert "fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit e291ea5e33.
2023-11-26 06:34:39 +01:00
Loïc Dachary ba352ef4b1
Revert "fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 685ebdba63.
2023-11-26 06:34:39 +01:00
Loïc Dachary 3869f80b52
Revert "fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 585f74c2ca.
2023-11-26 06:34:39 +01:00
Loïc Dachary fc3825f6b2
Revert "fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 0b0b506b74.
2023-11-26 06:34:38 +01:00
Loïc Dachary c21cc34116
Revert "fix POST /{owner}/{repo}/comments/{id}/delete"
This reverts commit 44f2592028.
2023-11-26 06:34:38 +01:00
Loïc Dachary db1bd78d71
Revert "fix POST /{owner}/{repo}/comments/{id}"
This reverts commit 5cc6361e31.
2023-11-26 06:34:38 +01:00
Loïc Dachary 5fc5d186e0
Revert "fix POST /{owner}/{repo}/comments/{id}/reactions/{action}"
This reverts commit 6f87e71f0c.
2023-11-26 06:34:38 +01:00
Loïc Dachary 710eee48a1
Revert "fix GET /{owner}/{repo}/comments/{id}/attachments"
This reverts commit 48bcb1937e.
2023-11-26 06:34:38 +01:00
Loïc Dachary e587faae57
Revert "fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete"
This reverts commit 75730a6ded.
2023-11-26 06:34:37 +01:00
Loïc Dachary d7f5ff0782
Revert "fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail"
This reverts commit 5ef4992fd7.
2023-11-26 06:34:37 +01:00
Loïc Dachary 53115c7c17
Revert "fix POST /{username}/{reponame}/{tags,release}/delete"
This reverts commit a2b1082dda.
2023-11-26 06:34:37 +01:00
Loïc Dachary 8a9676f881
Revert "fix GET /api/v1/repos/{owner}/{repo}/keys/{id}"
This reverts commit 5322136af8.
2023-11-26 06:34:37 +01:00
Loïc Dachary 4927e73551
Revert "fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin"
This reverts commit e9aa373db5.
2023-11-26 06:34:37 +01:00
Loïc Dachary e9aa373db5
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7)
2023-11-25 08:08:37 +01:00
Loïc Dachary 5322136af8
fix GET /api/v1/repos/{owner}/{repo}/keys/{id}
(cherry picked from commit 768238d9f9982e99ad4cbf3942d2d2db5126a150)

Conflicts:
	routers/api/v1/repo/key.go
	trivial context conflict
2023-11-25 08:08:37 +01:00
Loïc Dachary a2b1082dda
fix POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit a6d2ad6310f754952998fd73118da9f91c563145)
2023-11-25 08:08:37 +01:00
Loïc Dachary 5ef4992fd7
fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail
(cherry picked from commit 0853dec293dd632a03948f66af69e75dd582a92d)
2023-11-25 08:08:36 +01:00
Loïc Dachary 75730a6ded
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead)
2023-11-25 08:08:36 +01:00
Loïc Dachary 48bcb1937e
fix GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit aed193ef9f5d59aed12cfd7518765d5598c7999f)
2023-11-25 07:23:34 +01:00
Loïc Dachary 6f87e71f0c
fix POST /{owner}/{repo}/comments/{id}/reactions/{action}
(cherry picked from commit 21d4556cbeb9d0f825398114ba3a4816f331315b)
2023-11-25 07:23:34 +01:00
Loïc Dachary 5cc6361e31
fix POST /{owner}/{repo}/comments/{id}
(cherry picked from commit 385a1f337462bec34ccc389d4efe21e3b2be8465)
2023-11-25 07:23:34 +01:00
Loïc Dachary 44f2592028
fix POST /{owner}/{repo}/comments/{id}/delete
(cherry picked from commit 1b57d8493882d9d659164acd3b4a5a99c769d8ed)
2023-11-25 07:23:34 +01:00
Loïc Dachary 0b0b506b74
fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 521eed2312f45bef7de28c9c03c04257862a453c)
2023-11-25 07:23:34 +01:00
Loïc Dachary 585f74c2ca
fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit a146e3d0f9ff8ac1aee4be8a3632c76b35fc3482)
2023-11-25 07:23:33 +01:00
Loïc Dachary 685ebdba63
fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit f499075c53752f983c6e4f8af17c449926ba94d9)
2023-11-25 07:23:33 +01:00
Loïc Dachary e291ea5e33
fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 51c280e877765efe721e607aa95bcbb5aef364e0)
2023-11-25 07:23:33 +01:00
Loïc Dachary 3ddfca10ac
fix API usage of a PR index in place of issue index and vice versa
(cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344)
2023-11-25 07:23:32 +01:00
Loïc Dachary 6b4cb070cc
enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues
(cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015)
2023-11-25 07:23:32 +01:00
Loïc Dachary c70eb32280
enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned
(cherry picked from commit 00fad97fc1b27db40a002c9ab3f709d04dc2cdd1)
2023-11-25 07:23:32 +01:00
Loïc Dachary 5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70)
(cherry picked from commit 13e10a65d9)
(cherry picked from commit 65bdd73cf2)
(cherry picked from commit 64eba8bb92)
(cherry picked from commit 4c49b1a759)
(cherry picked from commit 93b4d06406)
(cherry picked from commit e2bc5f36d9)
(cherry picked from commit 2bee76f9df)
(cherry picked from commit 3d8a1b4a9f)
(cherry picked from commit 99dd092cd0)
(cherry picked from commit 0fdbd02204)
(cherry picked from commit 70b277a183)
(cherry picked from commit 3eece7fbb4)
(cherry picked from commit 4838fc9e11)
(cherry picked from commit b76ed541cf)
(cherry picked from commit dcdfb5b65c)
(cherry picked from commit 377dc48cdc)
(cherry picked from commit acc862f411)
(cherry picked from commit ac75ef101f)
(cherry picked from commit 08f2d9f7c5)
(cherry picked from commit e4096f0b64)
(cherry picked from commit bf5876f062)
(cherry picked from commit 7dc60637e5)
(cherry picked from commit ef3101774b)
(cherry picked from commit ecb9e8867c)
(cherry picked from commit 64f0ae72fe)
(cherry picked from commit 8dd6ec7862)
(cherry picked from commit b36723e52b)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8)
(cherry picked from commit 1d87602819)
(cherry picked from commit 0f72002d66)
(cherry picked from commit da2556eb13)
(cherry picked from commit c01688cd90)
(cherry picked from commit af4bba8329)
(cherry picked from commit 33ca322c2e)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44)
(cherry picked from commit 27c4797c9f)
2023-11-14 13:17:12 +01:00
Giteabot d7408d8b0b
Dont leak private users via extensions (#28023) (#28028)
Backport #28023 by @6543

there was no check in place if a user could see a other user, if you
append e.g. `.rss`

(cherry picked from commit 69ea554e23)
2023-11-14 13:17:12 +01:00
KN4CK3R 44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Lunny Xiao f2c3491b61
Fix http protocol auth (#27875) (#27878)
backport #27875

(cherry picked from commit 1dedf9bba0)
2023-11-14 13:17:12 +01:00
Giteabot 64373004b5
Fix org team endpoint (#27721) (#27729)
Backport #27721 by @lng2020

Fix #27711

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 71803d33e3)
2023-11-14 13:17:11 +01:00
Giteabot 62c33f92a9
Fix 404 when deleting Docker package with an internal version (#27615) (#27629)
Backport #27615 by @lng2020

close #27601
The Docker registry has an internal version, which leads to 404

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
(cherry picked from commit 171950a0d4)
2023-11-14 13:17:11 +01:00
Giteabot e0fe8a8ab4
Fix panic in storageHandler (#27446) (#27478)
Backport #27446 by @sryze

storageHandler() is written as a middleware but is used as an endpoint
handler, and thus `next` is actually `nil`, which causes a null pointer
dereference when a request URL does not match the pattern (where it
calls `next.ServerHTTP()`).

Example CURL command to trigger the panic:

```
curl -I "http://yourhost/gitea//avatars/a"
```

Fixes #27409

---

Note: the diff looks big but it's actually a small change - all I did
was to remove the outer closure (and one level of indentation) ~and
removed the HTTP method and pattern checks as they seem redundant
because go-chi already does those checks~. You might want to check "Hide
whitespace" when reviewing it.

Alternative solution (a bit simpler): append `, misc.DummyOK` to the
route declarations that utilize `storageHandler()` - this makes it
return an empty response when the URL is invalid. I've tested this one
and it works too. Or maybe it would be better to return a 400 error in
that case (?)

Co-authored-by: Sergey Zolotarev <sryze@outlook.com>
(cherry picked from commit 4ffa683820)
2023-11-14 13:17:11 +01:00
Giteabot c50af699ea
When comparing with an non-exist repository, return 404 but 500 (#27437) (#27441)
Backport #27437 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 973b7f6298)
2023-11-14 13:17:11 +01:00
Earl Warren a1e6944bd7
Revert "[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP"
This reverts commit 9413fd0274.
2023-11-14 13:17:11 +01:00
Gusted 51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot 3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Giteabot f8bf284794
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27162)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
(cherry picked from commit fbe1f35112)
2023-10-03 14:48:08 +02:00
Giteabot c041114a20
fix pagination for followers and following (#27127) (#27138)
Backport #27127 by @earl-warren

- Use the correct total amount for pagination. Thereby correctly show
the pagination bare when there's more than one page of
followers/followings.

Refs: https://codeberg.org/forgejo/forgejo/pulls/1477

(cherry picked from commit c1a136318b)

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 1d6e5c8e58)
2023-09-20 12:50:46 +02:00
Giteabot 64a418dfc7
Fix issue templates when blank isses are disabled (#27061) (#27082)
Backport #27061 by @JakobDev

Fixes #27060

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit b139234fa8)
2023-09-20 12:50:46 +02:00