Backport #31204 by @silverwind
Using `.segment` on the project columns is a major abuse of that class,
so remove it and instead set the border-radius directly on it.
Fixes: https://github.com/go-gitea/gitea/issues/31129
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 298d05df3b79634a0364926f34fb02b73d442c31)
Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.
Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9c8c9ff6d10b35de8d2d7eae0fc2646ad9bbe94a)
(cherry picked from commit 07fe5a8b13)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).
As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),
> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.
With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).
Fixes#25061.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
See:
1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client
(cherry picked from commit 592469464b)
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.
Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)
Conflicts:
go.sum
trivial context conflict
These changes were missed when cherry-picking the following
c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319)
Fixes: https://codeberg.org/forgejo/forgejo/issues/3623
(cherry picked from commit caadd1815a)
If the avatar file in storage does not exist, it is not an error and
the database can be updated.
See 1be797faba Fix bug on avatar
(cherry picked from commit d2c4d833f4)
The avatar must not be unset in the database if there is a failure to
remove the avatar file from storage (file or S3). The two operations
are wrapped in a transaction for that purpose and this test verifies
it is effective.
See 1be797faba Fix bug on avatar
(cherry picked from commit c139efb1e9)
Backport #31174 by @lunny
Fix#31172
The original order or the default order should not be ignored even if we
have an is_deleted order.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit c6176ee59f4a25607dcfbc00757121f705101101)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)
Conflicts:
tests/integration/git_push_test.go
trivial context conflict because of
2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
The right to force merge is uses the wrong predicate and
applies to instance admins:
ctx.user.IsAdmin
It must apply to repository admins and use the following predicate:
ctx.userPerm.IsAdmin()
This regression is from the ApplyToAdmins implementation in
79b7089360.
Fixes: https://codeberg.org/forgejo/forgejo/issues/3780
(cherry picked from commit 09f3518069)
This exception existed for both instance admins and repo admins
before ApplyToAdmins was introduced in
79b7089360.
It should have been kept for instance admins only because they are not
subject to permission checks.
(cherry picked from commit 05f0007437)
Verify variations of branch protection that are in play when merging a
pull request as:
* instance admin
* repository admin / owner
* user with write permissions on the repository
In all cases the result is expected to be the same when merging
the pull request via:
* API
* web
Although the implementations are different.
(cherry picked from commit 793421bf59)
Conflicts:
tests/integration/pull_merge_test.go
trivial context conflict
* group test cases to clarify their purpose
* remove pull request branch protection tests, they are redundant
with TestPullMergeBranchProtect
(cherry picked from commit 0d8478b82e)
Conflicts:
tests/integration/git_test.go
trivial context conflict
* split into testPullMergeForm which can be called directly if
the caller wants to specify extra parameters.
* testPullMergeForm can expect something different than StatusOK
(cherry picked from commit 20591d966e)
* http.StatusMethodNotAllowed can be expected: only retry if the
error message is "Please try again later"
* split into doAPIMergePullRequestForm which can be called directly if
the caller wants to specify extra parameters.
(cherry picked from commit 49aea9879b)
explicitly specify the parameters instead of providing them as
arguments so the caller has a more fine grain control over them.
(cherry picked from commit 70aa294cc1)
It is fine to use MockVariableValue to change a setting such as:
defer test.MockVariableValue(&setting.Mirror.Enabled, true)()
But when testing for errors and mocking a function, multiple variants
of the functions will be used, not just one. MockProtect a function
will make sure that when the test fails it always restores a sane
version of the function. For instance:
defer test.MockProtect(&mirror_service.AddPushMirrorRemote)()
mirror_service.AddPushMirrorRemote = mockOne
do some tests that may fail
mirror_service.AddPushMirrorRemote = mockTwo
do more tests that may fail
(cherry picked from commit 884b3c0f4b)