forked from gitea/gitea
1
0
Fork 0
Commit Graph

1165 Commits

Author SHA1 Message Date
Lunny Xiao 265f485295
Do some missing checks (#28423) (#28432)
backport #28423
2023-12-12 06:20:18 +00:00
Giteabot f144521aea
Deprecate query string auth tokens (#28390) (#28430)
Backport #28390 by @jackHay22

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 13:45:00 +08:00
Lunny Xiao 87db4a47c8
Also sync DB branches on push if necessary (#28361) (#28403)
Fix #28056
Backport #28361 

This PR will check whether the repo has zero branch when pushing a
branch. If that, it means this repository hasn't been synced.

The reason caused that is after user upgrade from v1.20 -> v1.21, he
just push branches without visit the repository user interface. Because
all repositories routers will check whether a branches sync is necessary
but push has not such check.

For every repository, it has two states, synced or not synced. If there
is zero branch for a repository, then it will be assumed as non-sync
state. Otherwise, it's synced state. So if we think it's synced, we just
need to update branch/insert new branch. Otherwise do a full sync. So
that, for every push, there will be almost no extra load added. It's
high performance than yours.

For the implementation, we in fact will try to update the branch first,
if updated success with affect records > 0, then all are done. Because
that means the branch has been in the database. If no record is
affected, that means the branch does not exist in database. So there are
two possibilities. One is this is a new branch, then we just need to
insert the record. Another is the branches haven't been synced, then we
need to sync all the branches into database.
2023-12-11 06:16:56 +00:00
Giteabot 46beb7f33f
enable system users search via the API (#28013) (#28018)
Backport #28013 by @earl-warren

Refs: https://codeberg.org/forgejo/forgejo/issues/1403

(cherry picked from commit dd4d17c159eaf8b642aa9e6105b0532e25972bb7)

---------

Co-authored-by: Earl Warren <109468362+earl-warren@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-12-08 21:46:08 +00:00
Lunny Xiao bc3d8bff73
Fix comment permissions (#28213) (#28216)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.
2023-11-25 23:43:23 +00:00
Giteabot 994ba35f11
Fix swagger title (#28164) (#28167)
Backport #28164 by @yp05327


![image](https://github.com/go-gitea/gitea/assets/18380374/380859b2-a643-42fd-b53e-78c93c05c826)
Don't know why there's a `.` behind. 🤔

Co-authored-by: yp05327 <576951401@qq.com>
2023-11-22 09:06:38 +00:00
Giteabot 93ede4bc83
Fix permissions for Token DELETE endpoint to match GET and POST (#27610) (#28099)
Backport #27610 by @evantobin

Fixes #27598

In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds
unit tests

Co-authored-by: Evan Tobin <me@evantob.in>
2023-11-17 12:24:16 +08:00
Giteabot a8e505a44b
Unify two factor check (#27915) (#27929)
Backport #27915 by @KN4CK3R

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-11-06 18:07:22 +00:00
6543 6637bbf510
Delete repos of org when purge delete user (#27273) (#27728)
Fixes https://codeberg.org/forgejo/forgejo/issues/1514

Backports #27273

---------

Co-authored-by: JakobDev <jakobdev@gmx.de>
2023-11-01 10:03:12 +08:00
Giteabot 25bc3d562a
Fix bad method call when deleting user secrets via API (#27829) (#27831)
Backport #27829 by @jbgomond

Fixed a little mistake when you deleting user secrets via the API. Found
it when working on #27725.
It should be backported to 1.21 I think.

Co-authored-by: Jean-Baptiste Gomond <dev@jbgomond.com>
2023-10-29 22:08:01 +08:00
Giteabot 6919a02ab7
Fix org team endpoint (#27721) (#27727)
Backport #27721 by @lng2020

Fix #27711

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
2023-10-22 00:07:28 +00:00
Giteabot 4c9f7d0710
api: GetPullRequestCommits: return file list (#27483) (#27539)
Backport #27483 by @msantos

Fixes https://github.com/go-gitea/gitea/issues/27481

---
Patch tested:

```json
[
  {
    "url": "7664dcb441",
    "sha": "7664dcb44167e0f9efd994e4ca6a9164694adc27",
    "created": "2023-10-06T09:57:08-04:00",
    "html_url": "7664dcb441",
...
    "files": [
      {
        "filename": "README.md",
        "status": "modified"
      }
    ],
    "stats": {
      "total": 2,
      "additions": 2,
      "deletions": 0
    }
  }
]
```

Co-authored-by: Michael Santos <michael.santos@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-10-09 14:21:35 +02:00
Giteabot 44aca6a65a
Don't let API add 2 exclusive labels from same scope (#27433) (#27460)
Backport #27433 by @JakobDev

Fixes #27380

Co-authored-by: JakobDev <jakobdev@gmx.de>
2023-10-06 05:06:31 +08:00
Giteabot f13a294b47
More `db.DefaultContext` refactor (#27265) (#27347)
Backport #27265 by @JakobDev

Part of #27065

This PR touches functions used in templates. As templates are not static
typed, errors are harder to find, but I hope I catch it all. I think
some tests from other persons do not hurt.

Co-authored-by: JakobDev <jakobdev@gmx.de>
2023-09-29 13:35:01 +00:00
Giteabot fc7d3f7315
Another round of `db.DefaultContext` refactor (#27103) (#27262)
Backport #27103 by @JakobDev

Part of #27065

Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-09-25 19:24:35 +02:00
Giteabot 0ca233258d
Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27163)
Backport #27150 by @memphis88

Similarly to the fix in https://github.com/go-gitea/gitea/pull/24694,
this addresses the team creation not returning the organization
information in the response.

This fix is connected to the
[issue](https://gitea.com/gitea/terraform-provider-gitea/issues/27)
discovered in the terraform provider.
Moreover, the
[documentation](https://docs.gitea.com/api/1.20/#tag/organization/operation/orgCreateTeam)
suggests that the response body should include the `organization` field
(currently being `null`).

Co-authored-by: Dionysios Kakouris <1369451+memphis88@users.noreply.github.com>
2023-09-21 12:15:20 +02:00
CaiCandong f93ee5937b
Fix token endpoints ignore specified account (#27080)
Fix #26234
close #26323
close #27040

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-09-18 00:21:15 +00:00
wxiaoguang 8531ca0837
Make SSPI auth mockable (#27036)
Before, the SSPI auth is only complied for Windows, it's difficult to
test and it breaks a lot.

Now, make the SSPI auth mockable and testable.
2023-09-17 23:32:56 +00:00
KN4CK3R c766140dad
Add `RemoteAddress` to mirrors (#26952)
This PR adds a new field `RemoteAddress` to both mirror types which
contains the sanitized remote address for easier (database) access to
that information. Will be used in the audit PR if merged.
2023-09-16 16:03:02 +00:00
JakobDev f91dbbba98
Next round of `db.DefaultContext` refactor (#27089)
Part of #27065
2023-09-16 14:39:12 +00:00
JakobDev c548dde205
More refactoring of `db.DefaultContext` (#27083)
Next step of #27065
2023-09-15 06:13:19 +00:00
JakobDev 76659b1114
Reduce usage of `db.DefaultContext` (#27073)
Part of #27065

This reduces the usage of `db.DefaultContext`. I think I've got enough
files for the first PR. When this is merged, I will continue working on
this.

Considering how many files this PR affect, I hope it won't take to long
to merge, so I don't end up in the merge conflict hell.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 17:09:32 +00:00
JakobDev aaeec2a392
Add missing 404 response to Swagger (#27038)
Most middleware throw a 404 in case something is not found e.g. a Repo
that is not existing. But most API endpoints don't include the 404
response in their documentation. This PR changes this.
2023-09-13 10:37:54 +08:00
KN4CK3R 591f586bf1
Extract auth middleware from service (#27028)
Related #27027

Extract the router logic from `services/auth/middleware.go` into
`routers/web` <-> `routers/common` <-> `routers/api`.
2023-09-12 08:15:16 +02:00
Lunny Xiao e3ed67859a
Move some functions to service layer (#26969) 2023-09-08 21:09:23 +00:00
Lunny Xiao 4f32abaf94
move repository deletion to service layer (#26948)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-08 04:51:15 +00:00
CaiCandong a78c2eae24
Replace `util.SliceXxx` with `slices.Xxx` (#26958) 2023-09-07 09:37:47 +00:00
Lunny Xiao e97e883ad5
Add reverseproxy auth for API back with default disabled (#26703)
This feature was removed by #22219 to avoid possible CSRF attack.

This PR takes reverseproxy auth for API back but with default disabled.

To prevent possbile CSRF attack, the responsibility will be the
reverseproxy but not Gitea itself.

For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`,
they should know what they are doing.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-07 08:31:46 +00:00
Lunny Xiao b9df9fa2e2
Move createrepository from module to service layer (#26927)
Repository creation depends on many models, so moving it to service
layer is better.
2023-09-06 12:08:51 +00:00
Lunny Xiao 540bf9fa6d
Move notification interface to services layer (#26915)
Extract from #22266
2023-09-05 18:37:47 +00:00
KN4CK3R a99b96cbcd
Refactor secrets modification logic (#26873)
- Share code between web and api
- Add some tests
2023-09-05 15:21:02 +00:00
JakobDev e9f5067653
Add missing `reqToken()` to notifications endpoints (#26914)
They currently throw a Internal Server Error when you use them without a
token. Now they correctly return a `token is required` error.

This is no security issue. If you use this endpoints with a token that
don't have the correct permission, you get the correct error. This is
not affected by this PR.
2023-09-05 14:43:34 +00:00
Bo-Yi Wu f79f6a26ae
feat(API): add routes and functions for managing user's secrets (#26909)
- Add routes for creating or updating a user's actions secrets in
`routers/api/v1/api.go`
- Add a new file `routers/api/v1/user/action.go` with functions for
creating or updating a user's secrets and deleting a user's secret
- Modify the `templates/swagger/v1_json.tmpl` file to include the routes
for creating or updating a user's secrets and deleting a user's secret

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-09-05 14:02:50 +00:00
Zettat123 04771b5ff7
Allow users with write permissions for issues to add attachments with API (#26837)
Fixes #24944

Since a user with write permissions for issues can add attachments to an
issue via the the web interface, the user should also be able to add
attachments via the API
2023-09-01 15:35:38 +00:00
Bo-Yi Wu 9eb4a9e601
feat(API): add secret deletion functionality for repository (#26808)
- Modify the `CreateOrUpdateSecret` function in `api.go` to include a
`Delete` operation for the secret
- Modify the `DeleteOrgSecret` function in `action.go` to include a
`DeleteSecret` operation for the organization
- Modify the `DeleteSecret` function in `action.go` to include a
`DeleteSecret` operation for the repository
- Modify the `v1_json.tmpl` template file to update the `operationId`
and `summary` for the `deleteSecret` operation in both the organization
and repository sections

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2023-09-01 13:02:49 +00:00
wxiaoguang e8aae43f56
Move web/api context related testing function into a separate package (#26859)
Just like `models/unittest`, the testing helper functions should be in a
separate package: `contexttest`

And complete the TODO:

> // TODO: move this function to other packages, because it depends on
"models" package
2023-09-01 11:26:07 +00:00
Bo-Yi Wu b91057b172
feat(API): add route and implementation for creating/updating repository secret (#26766)
spec:
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-a-repository-secret

- Add a new route for creating or updating a secret value in a
repository
- Create a new file `routers/api/v1/repo/action.go` with the
implementation of the `CreateOrUpdateSecret` function
- Update the Swagger documentation for the `updateRepoSecret` operation
in the `v1_json.tmpl` template file

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-08-29 20:54:49 +00:00
Chongyi Zheng ad43486cd3
Fix some slice append usages (#26778)
Co-authored-by: delvh <dev.lh@web.de>
2023-08-29 15:47:26 +00:00
Bo-Yi Wu 8cd46024fd
refactor(API): refactor secret creation and update functionality (#26751)
According to the GitHub API Spec:
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-organization-secret

Merge the Create and Update secret into a single API.

- Remove the `CreateSecretOption` struct and replace it with
`CreateOrUpdateSecretOption` in `modules/structs/secret.go`
- Update the `CreateOrUpdateOrgSecret` function in
`routers/api/v1/org/action.go` to use `CreateOrUpdateSecretOption`
instead of `UpdateSecretOption`
- Remove the `CreateOrgSecret` function in
`routers/api/v1/org/action.go` and replace it with
`CreateOrUpdateOrgSecret`
- Update the Swagger documentation in
`routers/api/v1/swagger/options.go` and `templates/swagger/v1_json.tmpl`
to reflect the changes in the struct names and function names

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2023-08-28 13:08:19 +08:00
Chongyi Zheng 43652746f2
Move `modules/mirror` to `services` (#26737)
To solve the cyclic imports in a better way

Closes #20261
2023-08-27 10:24:45 +08:00
Infinoid 86ee5b4b1b
PATCH branch-protection updates check list even when checks are disabled (#26351)
Fixes: #26333.

Previously, this endpoint only updates the `StatusCheckContexts` field
when `EnableStatusCheck==true`, which makes it impossible to clear the
array otherwise.

This patch uses slice `nil`-ness to decide whether to update the list of
checks. The field is ignored when either the client explicitly passes in
a null, or just omits the field from the json ([which causes
`json.Unmarshal` to leave the struct field
unchanged](https://go.dev/play/p/Z2XHOILuB1Q)). I think this is a better
measure of intent than whether the `EnableStatusCheck` flag was set,
because it matches the semantics of other field types.

Also adds a test case. I noticed that [`testAPIEditBranchProtection`
only checks the branch
name](c1c83dbaec/tests/integration/api_branch_test.go (L68))
and no other fields, so I added some extra `GET` calls and specific
checks to make sure the fields are changing properly.

I added those checks the existing integration test; is that the right
place for it?
2023-08-24 05:36:04 +00:00
Bo-Yi Wu b62c8e7765
feat(API): update and delete secret for managing organization secrets (#26660)
- Add `UpdateSecret` function to modify org or user repo secret
- Add `DeleteSecret` function to delete secret from an organization
- Add `UpdateSecretOption` struct for updating secret options
- Add `UpdateOrgSecret` function to update a secret in an organization
- Add `DeleteOrgSecret` function to delete a secret in an organization

GitHub API

1. Update Org Secret:
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-organization-secret
2. Delete Org Secret:
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#delete-an-organization-secret

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2023-08-24 02:07:00 +00:00
Bo-Yi Wu 23addde28e
feat: implement organization secret creation API (#26566)
- Add a new `CreateSecretOption` struct for creating secrets
- Implement a `CreateOrgSecret` function to create a secret in an
organization
- Add a new route in `api.go` to handle the creation of organization
secrets
- Update the Swagger template to include the new `CreateOrgSecret` API
endpoint

---------

Signed-off-by: appleboy <appleboy.tw@gmail.com>
2023-08-22 11:20:34 +08:00
Jason Song b658f2c61b
Return empty when searching issues with no repos (#26545) 2023-08-17 12:42:17 -05:00
Bo-Yi Wu 79d74d208f
Add API route to list org secrets (#26485)
- Add a new function `CountOrgSecrets` in the file
`models/secret/secret.go`
- Add a new file `modules/structs/secret.go`
- Add a new function `ListActionsSecrets` in the file
`routers/api/v1/api.go`
- Add a new file `routers/api/v1/org/action.go`
- Add a new function `listActionsSecrets` in the file
`routers/api/v1/org/action.go`

go-sdk: https://gitea.com/gitea/go-sdk/pulls/629

---------

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-08-15 14:32:43 +02:00
puni9869 cafce3b4b5
Allow to archive labels (#26478)
## Archived labels 

This adds the structure to allow for archived labels.
Archived labels are, just like closed milestones or projects, a medium to hide information without deleting it.
It is especially useful if there are outdated labels that should no longer be used without deleting the label entirely.

## Changes

1. UI and API have been equipped with the support to mark a label as archived
2. The time when a label has been archived will be stored in the DB

## Outsourced for the future

There's no special handling for archived labels at the moment.
This will be done in the future.

## Screenshots

![image](https://github.com/go-gitea/gitea/assets/80308335/208f95cd-42e4-4ed7-9a1f-cd2050a645d4)

![image](https://github.com/go-gitea/gitea/assets/80308335/746428e0-40bb-45b3-b992-85602feb371d)

Part of https://github.com/go-gitea/gitea/issues/25237

---------

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-14 11:56:14 +02:00
wxiaoguang c2e0143bfe
Introduce ctx.PathParamRaw to avoid incorrect unescaping (#26392)
Fix #26389

And complete an old TODO: `ctx.Params does un-escaping,..., which is
incorrect.`
2023-08-09 14:57:45 +08:00
Jason Song 1e76a824bc
Refactor and enhance issue indexer to support both searching, filtering and paging (#26012)
Fix #24662.

Replace #24822 and #25708 (although it has been merged)


## Background

In the past, Gitea supported issue searching with a keyword and
conditions in a less efficient way. It worked by searching for issues
with the keyword and obtaining limited IDs (as it is heavy to get all)
on the indexer (bleve/elasticsearch/meilisearch), and then querying with
conditions on the database to find a subset of the found IDs. This is
why the results could be incomplete.

To solve this issue, we need to store all fields that could be used as
conditions in the indexer and support both keyword and additional
conditions when searching with the indexer.

## Major changes

- Redefine `IndexerData` to include all fields that could be used as
filter conditions.
- Refactor `Search(ctx context.Context, kw string, repoIDs []int64,
limit, start int, state string)` to `Search(ctx context.Context, options
*SearchOptions)`, so it supports more conditions now.
- Change the data type stored in `issueIndexerQueue`. Use
`IndexerMetadata` instead of `IndexerData` in case the data has been
updated while it is in the queue. This also reduces the storage size of
the queue.
- Enhance searching with Bleve/Elasticsearch/Meilisearch, make them
fully support `SearchOptions`. Also, update the data versions.
- Keep most logic of database indexer, but remove
`issues.SearchIssueIDsByKeyword` in `models` to avoid confusion where is
the entry point to search issues.
- Start a Meilisearch instance to test it in unit tests.
- Add unit tests with almost full coverage to test
Bleve/Elasticsearch/Meilisearch indexer.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-07-31 06:28:53 +00:00
wxiaoguang 915cdf8f87
Remove "misc" scope check from public API endpoints (#26134)
Fix #26035
2023-07-26 02:53:31 +00:00
JakobDev 6598d0291c
Allow Organisations to have a E-Mail (#25082)
Resolves #25057

This adds a E-Mail field to Organisations. The E-Mail is just shown on
the Profile when it is visited by a logged in User. The E-mail is not
used for something else.

**Screenshots:**

![grafik](https://github.com/go-gitea/gitea/assets/15185051/a8d622b3-7278-4c08-984b-9c5ebfdb5471)

![grafik](https://github.com/go-gitea/gitea/assets/15185051/6dcb1dd7-d04b-49eb-bc96-6582cfe9757b)

---------

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: Denys Konovalov <privat@denyskon.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-25 08:26:27 +00:00