Commit graph

11923 commits

Author SHA1 Message Date
zeripath
ef12b8de80
Ensure that restricted users can access repos for which they are members (#17460) (#17464)
Backport #17460

There is a small bug in the way that repo access is checked in
repoAssignment: Accessibility is checked by checking if the user has a
marked access to the repository instead of checking if the user has any
team granted access.

This PR changes this permissions check to use HasAccess() which does the
correct test. There is also a fix in the release api ListReleases where
it should return draft releases if the user is a member of a team with
write access to the releases.

The PR also adds a testcase.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-28 11:33:18 +08:00
zeripath
dd1ba34ee5
Prevent panic in serv.go with Deploy Keys (#17434) (#17435)
Backport #17434

Unfortunately there was a regression in #17373 which missed that the user is not
for deploy keys. This leads to a panic when pushing with deploy keys.

Fix #17412

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-26 01:24:29 +02:00
KN4CK3R
1fbdf96c34
Fix CSV render error (#17406) (#17431)
Backport #17406.

Closes #17378 

Both errors from #17378 were caused by  #15175.

Problem 1 (error with added file):
`ToUTF8WithFallbackReader` creates a `MultiReader` from a `byte[2048]` and the remaining reader. `CreateReaderAndGuessDelimiter` tries to read 10000 bytes from this reader but only gets 2048 because that's the first reader in the `MultiReader`. Then the `if size < 1e4` thinks the input is at EOF and just returns that.

Problem 2 (error with changed file):
The blob reader gets defer closed. That was fine because the old version reads the whole file into memory. Now with the streaming version the close needs to defer after the method.

Co-authored-by: zeripath <art27@cantab.net>
2021-10-25 18:31:15 +01:00
KN4CK3R
5159055278
Read expected buffer size (#17409) (#17430)
Backport of #17409

* Read expected buffer size.

* Changed name.
2021-10-25 17:46:56 +01:00
wxiaoguang
06da10b9a1
Fix markdown checkbox rendering (#17427)
We allow to render empty check list item - [ ], while GitHub doesn't allow.

To make the rendering correct, we need tune the UI (the last PR #17413 uses absolute layout, which makes the empty checkbox item can not be displayed correctly)
2021-10-25 17:02:39 +08:00
wxiaoguang
175ebc6f88
Fix issue markdown bugs (#17413)
* Bug fix: render Markdown `http://AppURL/org/repo/issues/4?a=1&b=2#comment-123 test` to HTML correctly, close #17394
* Bug fix: fix the positions of checkboxes in rendered HTML, close #17395

# Conflicts:
#	modules/markup/html.go
2021-10-23 23:30:46 +08:00
zeripath
3aecea2e6e
Changelog 1.15.5 (#17392)
* SECURITY
  * Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  * Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
* BUGFIXES
  * Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
  * Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
  * Ensure popup text is aligned left (backport for 1.15) (#17343)
  * Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
  * Disable core.protectNTFS (#17300) (#17302)
  * Use pointer for wrappedConn methods (#17295) (#17296)
  * AutoRegistration is supposed to be working with disabled registration (backport) (#17292)
  * Handle duplicate keys on GPG key ring (#17242) (#17284)
  * Fix SVG side by side comparison link (#17375) (#17391)

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-21 23:50:22 +02:00
zeripath
cae8c63517
Fix SVG side by side comparison link (#17375) (#17391)
Backport #17375

Define unique names for image tabs in pull requests, in order to toggle tabs correctly when multiple are displayed on one page.

Fixes position of swipe-bar so it does not overlay other UI components when scrolling.

Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>

Co-authored-by: Mario Lubenka <mario.lubenka@googlemail.com>
2021-10-21 20:38:29 +01:00
zeripath
8ace5c1161
Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
Backport #17281

There is a subtle bug in the SSH library x/crypto/ssh which makes the incorrect
assumption that the public key type is the same as the signature algorithm type.

This means that only ssh-rsa signatures are offered by default.

This PR adds a workaround around this problem.

Fix #17175

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-10-21 16:37:49 +08:00
Lunny Xiao
a87b813955
Fix heatmap test (#17381) (#17383)
Backport #17381
2021-10-21 09:00:41 +01:00
6543
3baeec745c
Upgrade Bluemonday to v1.0.16 (#17372) (#17374) 2021-10-20 16:57:19 -04:00
Richard Mahn
befb6bea22
Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
Backport of #17018

Fixes #16837 if a column is deleted.
2021-10-20 22:55:34 +02:00
6543
79f0b1a50b
Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
2021-10-20 22:26:48 +02:00
zeripath
79a3d277e5
Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
Backport #17304

Downgrade logging statement from Fatal to Error so that errors parsing
U2FRegistration data does not panic; instead, the invalid key will be
skipped and we will attempt to parse the next one, if available.

Signed-off-by: David Jimenez <dvejmz@sgfault.com>

Co-authored-by: David Jimenez <dvejmz@users.noreply.github.com>
2021-10-20 21:45:17 +02:00
John Olheiser
eb748ff79e
Allow mocking timeutil (#17354) (#17356)
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2021-10-18 16:48:23 -05:00
Mario Lubenka
c5770195d9
Ensure popup text is aligned left (#17343)
Signed-off-by: Mario Lubenka <mario.lubenka@googlemail.com>
2021-10-17 18:57:28 -04:00
zeripath
a20ccec369
Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
Backport #17243

There is an issue with #16508 where it appears that create repo requires that the
repo does not exist. This causes #17241 where an error is reported because of this.

This PR fixes this and also runs update-server-info for mirrors and generated repos.

Fix #17241

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-14 18:07:53 +02:00
zeripath
9c2b7a196e
Disable core.protectNTFS (#17300) (#17302)
Backport #17300

core.protectNTFS protects NTFS from files which may be difficult to remove or interact
with using the win32 api, however, it also appears to prevent such files from
being entered into the git indexes - fundamentally causing breakages with PRs that
affect these files. However, deliberately setting this to false may cause security
issues due to the remain sparse checkout of files in the merge pipeline.

The only sensible option therefore is to provide an optional setting which admins
could set which would forcibly switch this off if they are affected by this issue.

Fix #17092

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-13 23:02:45 +03:00
zeripath
1e278b15c2
Use pointer for wrappedConn methods (#17295) (#17296)
Backport #17295

Fix #17294

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-10-12 23:45:30 +01:00
Viktor Kuzmin
fde6ff6a75
Backport of fix for auto registration - PR #17219 (#17292) 2021-10-12 00:02:47 -04:00
zeripath
51f4f8c393
Handle duplicate keys on GPG key ring (#17242) (#17284)
Backport #17242

It is possible that a keyring can contain duplicate keys on a keyring due to jpegs or
other layers. This currently leads to a confusing error for the user - where we report
a duplicate key insertion.

This PR simply coalesces keys into one key if there are duplicates.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: 6543 <6543@obermui.de>
2021-10-11 05:13:10 +03:00
Matti R
f5845e6497
Changelog for 1.15.4 2021-10-08 14:01:42 -04:00
Norwin
c927ebd119
API: don't allow merged PRs to be reopened (#17271) 2021-10-08 13:54:26 -04:00
Norwin
245596e130
don't try to interpret treepath as hash (#17272)
...when path contains no hash-path-separator ('/')

This is a workaround to #17179.

Entering this case when `path` does not contain a '/' does not really
make sense, as that means the tree path is empty, but this case is only
entered for routes that expect a non-empty tree path.

Treepaths like <40-char-dirname>/<filename> will still fail,
but hopefully don't occur that often. A more complete fix that avoids
this case too is outlined in #17185, but too big of a change to backport
2021-10-08 13:53:54 -04:00
Jimmy Praet
1c3ae6d05e
Fix incorrect repository count on organization tab of dashboard (#17266)
Fixes #17249
2021-10-08 17:33:16 +08:00
Jimmy Praet
a1e57ebe6b
Fix unwanted team review request deletion (#17257) (#17264)
Add missing issue_id = ? to where clause
Fixes #17251
2021-10-07 23:58:13 +02:00
6543
73ae93b007
CI: migrate from 'plugins/s3:1' to 'woodpeckerci/plugin-s3:latest' (#17234) (#17260)
- this fixes the CI release upload issues, as the docker image for this is freshly built (unlike the mostly unmaintained "official" drone plugins), thus containing current CA certs needed for letsencrypt since 2021-09-31.
- woodpecker is a drone-ci fork maintained partially by @6543. it's API compatible with current drone plugins afaik
2021-10-07 22:02:07 +02:00
6543
dc030f64a7
Remove dead badge on README.md (#17261) 2021-10-07 15:40:11 -04:00
Jimmy Praet
6e0a08d753
Fix broken Activities link in team dashboard (#17255) (#17258)
Remove '/' suffix from organization dashboard link

Fixes #17250
2021-10-07 20:58:59 +02:00
pricly-yellow
7b1153e943
API pull's head/base have correct permission(#17214) (#17245)
* for all pull requests API return permissions of caller
* for all webhook return empty permissions

Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de>

* Fix incorrect error handler

Co-authored-by: delvh <dev.lh@web.de>

* Fix wrong assumption in tests

* Change paramenter name to doer to indicate source

Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: 6543 <6543@obermui.de>
2021-10-07 12:39:23 +03:00
pricly-yellow
6995be66e7
Fix stange behavior of DownloadPullDiffOrPatch in incorect index (#17223) (#17227)
Fix GetPullRequestByIndex by validate index > 1

Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de>
Co-authored-by: a1012112796 <1012112796@qq.com>
2021-10-05 20:16:22 +02:00
6543
28971c7c15
Check user instead of organization when creating a repo from a template via API (#16346) (#17195)
* Check user instead of organization

* Enforce that only admins can copy a repo to another user

Co-authored-by: Ion Jaureguialzo Sarasola <ion@jaureguialzo.com>
2021-10-01 10:16:28 +02:00
Lunny Xiao
eb5e6f09eb
upgrade xorm to v1.2.5 (#17177) (#17188) 2021-09-30 07:03:42 +01:00
Alexey 〒erentyev
bf6264c1db
fix sprintf verbs in locales (#17187)
Signed-off-by: Alexey Terentyev <axifnx@gmail.com>

Co-authored-by: 6543 <6543@obermui.de>
2021-09-30 12:03:21 +08:00
zeripath
5b6b7e79cf
Fix missing repo link in issue/pull assigned emails (#17183) (#17184)
Backport #17183

There was a mistake in the template file: `templates/mail/issue/assigned.tmpl`
where the repourl was generated from a non-existent release instead of the issue.

This PR changes this to use the issue but also ensure that the issue repo is loaded.

It also slightly improves the English and the Russian locale string.

Fix #17160

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
2021-09-30 01:21:12 +02:00
Lunny Xiao
766272b154
Fix bug of get context user (#17169) (#17172)
Co-authored-by: 6543 <6543@obermui.de>
2021-09-28 15:42:43 +02:00
zeripath
4707d4b8a9
Nicely handle missing user in collaborations (#17049) (#17166)
Backport #17049

It is possible to have a collaboration in a repository which refers to a no-longer
existing user. This causes the repository transfer to fail with an unusual error.

This PR makes `repo.getCollaborators()` nicely handle the missing user by ghosting
the collaboration but also adds consistency check. It also adds an
Access consistency check.

Fix #17044

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2021-09-28 07:41:12 +01:00
zeripath
4b8b214108
Create doctor command to fix repo_units broken by dumps from 1.14.3-1.14.6 (#17136) (#17137)
Backport #17136

There was a serious issue with the `gitea dump` command in 1.14.3-1.14.6 which led to corruption of the `config` field of the `repo_unit` table. 

This PR adds a doctor command to attempt to fix the broken repo_units. Users affected by #16961 should run:

```
gitea doctor --fix --run fix-broken-repo-units
```

Fix #16961

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-27 18:30:11 +01:00
zeripath
ebae7e1512
Add Horizontal scrollbar to inner menu on Chrome (#17086) (#17164) 2021-09-27 12:44:22 -04:00
6543
122917f4d5
Fix wrong i18n keys (#17150) (#17153)
Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-26 08:25:12 +08:00
Alexey 〒erentyev
9cf5739c0f
correct transaction ending (#17151)
Signed-off-by: Alexey Terentyev <axifnx@gmail.com>
2021-09-25 16:45:39 +01:00
zeripath
4b6556565f
Prevent panic in Org mode HighlightCodeBlock (#17140) (#17141)
Backport #17140

When rendering source in org mode there is a mistake in the highlight code that
causes a panic.

This PR fixes this.

Fix #17139

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-24 14:29:47 +01:00
zeripath
7ce938b6c7
Changelog 1.15.3 (#17091)
## [1.15.3](https://github.com/go-gitea/gitea/releases/tag/v1.15.3) - 2021-09-19

* ENHANCEMENTS
  * Add fluid to ui container class to remove margin (#16396) (#16976)
  * Add caller to cat-file batch calls (#17082) (#17089)
* BUGFIXES
  * Render full plain readme. (#17083) (#17090)
  * Upgrade xorm to v1.2.4 (#17059)
  * Fix bug of migrate comments which only fetch one page (#17055) (#17058)
  * Do not show issue context popup on external issues (#17050) (#17054)
  * Decrement Fork Num when converting from Fork (#17035) (#17046)
  * Correctly rollback in ForkRepository (#17034) (#17045)
  * Fix missing close in WalkGitLog (#17008) (#17009)
  * Add prefix to SVG id/class attributes (#16997) (#17000)
  * Fix bug of migrated repository not index (#16991) (#16996)
  * Skip AllowedUserVisibilityModes validation on update user if it is an organisation (#16988) (#16990)
  * Fix storage Iterate bug and Add storage doctor to delete garbage attachments (#16971) (#16977)
  * Fix issue with issue default mail template (#16956) (#16975)
  * Ensure that rebase conflicts are handled in updates (#16952) (#16960)
  * Prevent panic on diff generation (#16950) (#16951)

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-09-20 12:02:52 +08:00
zeripath
6139834e76
Add caller to cat-file batch calls (#17082) (#17089)
Some people still appear to report unclosed cat-files. This PR simply adds the caller
to the process descriptor for the CatFileBatch and CatFileBatchCheck calls.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-20 00:07:35 +08:00
zeripath
b673a24ee6
Render full plain readme. (#17083) (#17090)
Backport #17083

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2021-09-19 22:01:19 +08:00
Lunny Xiao
fd35f56e87
Fix bug of migrate comments which only fetch one page (#17055) (#17058)
* Fix bug of migrate comments which only fetch one page

* add next page to trace

Co-authored-by: zeripath <art27@cantab.net>

Co-authored-by: zeripath <art27@cantab.net>
2021-09-15 14:01:54 -04:00
Lunny Xiao
1f8df5dd89
Upgrade xorm to v1.2.4 (#17059) 2021-09-15 23:27:46 +08:00
zeripath
6a025d8b4a
Do not show issue context popup on external issues (#17050) (#17054)
Backport #17050

The issues pop-up context cannot work for external issues - therefore do not show
these.

Fix #17047

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-15 17:38:20 +08:00
zeripath
270c7f36db
Correctly rollback in ForkRepository (#17034) (#17045)
Backport #17034

The rollback functionality in
services/repository/repository.go:ForkRepository is incorrect and could
lead to a deadlock as it uses DeleteRepository to delete the rolled-back
repository - a function which creates its own transaction.

This PR adjusts the rollback function to only use RemoveAll as any
database changes will be automatically rolled-back. It also handles
panics and adjusts the Close within WithTx to ensure that if there is a
panic the session will always be closed.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-09-15 08:42:09 +03:00
zeripath
0e448fb96d
Decrement Fork Num when converting from Fork (#17035) (#17046)
Backport #17035

When converting repositories from forks to normal the root NumFork needs to be
decremented too.

Fix #17026

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-15 10:05:47 +08:00