aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-03-10fix pam authorization (#19040) (#19047)release/v1.166543
Backport #19040 The PAM module has previously only checked the results of the authentication module. However, in normal PAM practice most users will expect account module authorization to also be checked. Without doing this check in almost every configuration expired accounts and accounts with expired passwords will still be able to login. This is likely to represent a significant gotcha in most configurations and cause most users configurations to be potentially insecure. Therefore we should add in the account authorization check. ## :warning: **BREAKING** :warning: Users of the PAM module who rely on account modules not being checked will need to change their PAM configuration. However, as it is likely that the vast majority of users of PAM will be expecting account authorization to be checked in addition to authentication we should make this breaking change to make the default behaviour correct for the majority. --- I suggest we backport this despite the BREAKING nature because of the surprising nature of this. Thanks to @ysf for bringing this to our attention. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: ysf <34326+ysf@users.noreply.github.com>
2022-03-10Ignore missing comment for user notifications (#18954) (#19043)zeripath
2022-03-09Set `rel="nofollow noindex"` on new issue links (#19023) (#19042)zeripath
Backport #19023 Fix #19018 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-09Upgrading binding package (#19034) (#19035)Lunny Xiao
Backport #19034 Fix #18855
2022-03-08Don't show context cancelled errors in attribute reader (#19006) (#19027)zeripath
Backport #19006 Fix #18997 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-03-04Fix update hint bug (#19002)Lunny Xiao
2022-03-05 Fix potential assignee query for repo (#18994) (#18999)Otto Richter (fnetX)
* Fix potential assignee query for repo * Add tests for `GetRepoAssignees` - As per https://github.com/go-gitea/gitea/pull/18994#issuecomment-1058506640 Co-authored-by: Gusted <williamzijl7@hotmail.com>
2022-03-03allow overwrite artifacts for github releases (#18987) (#18988)6543
2022-03-03Changelog for v1.16.3 (#18966)v1.16.3Lunny Xiao
* Changelog for v1.16.3 * Update CHANGELOG.md * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <williamzijl7@hotmail.com>
2022-03-02git backend ignore replace objects (#18979) (#18980)6543
Co-authored-by: zeripath <art27@cantab.net>
2022-03-02Set max text height to prevent overflow (#18862) (#18977)Otto Richter (fnetX)
Sets a max height for review text boxes to prevent a very annoying bug where users cannot access the "submit" button. Before: ![image](https://user-images.githubusercontent.com/12700993/155253001-e1dab086-aaf3-4338-889d-6a861728274a.png) After: ![image](https://user-images.githubusercontent.com/12700993/155253144-5b9a3547-9582-412f-867f-41a45a14a0fe.png) Interestingly, I don't see this bug on Firefox. Co-authored-by: Kyle D <kdumontnu@gmail.com>
2022-03-02Fix problem when self-assign notification (#18797) (#18976)Otto Richter (fnetX)
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-03-02backport fix of #18973 (#18974)6543
2022-03-02Refactor admin user filter query parameters (#18965) (#18975)Otto Richter (fnetX)
Only pass `status_filter` on admin page Use a more general method to pass query parameters, remove hard-coded keys Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-03-02Accounts with WebAuthn only (no TOTP) now exist ... fix code to handle that ↵6543
case (#18897) (#18964)
2022-03-01Send 404 on `/{org}.gpg` (#18959) (#18962)Gusted
2022-03-01Fix admin user list pagination (#18957) (#18960)Otto Richter (fnetX)
2022-03-01Fix lfs management setting (#18947)Lunny Xiao
2022-02-28Backport locales from master (#18944)6543
* update * clean * clean2 * clean2 * clean-next * cleanup * finish cleanup
2022-02-28Fix login with email panic when email is not exist (#18942)Lunny Xiao
Co-authored-by: 6543 <6543@obermui.de>
2022-02-28Adjust error for already locked db and prevent level db lock on malformed ↵zeripath
connstr (#18923) (#18938) Backport #18923 This PR adjusts the error returned when there is failure to lock the level db, and permits a connections to the same leveldb where there is a different connection string. Reference #18921 Reference #18917 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-27Update go-org to v1.6.1 (#18932) (#18933)Gusted
Backport #18932
2022-02-27Fix `<strong>` html in translation (#18929) (#18931)Gusted
Backport #18929
2022-02-27 Fix page and missing return on unadopted repos API (#18848) (#18927)qwerty287
* Fix page and missing return on unadopted repos API Page must be 1 if it's not specified and it should return after sending an internal server error. * Allow ignore pages
2022-02-26Don't treat BOM escape sequence as hidden character. (#18909) (#18910)Gusted
* Don't treat BOM escape sequence as hidden character. (#18909) Backport #18909
2022-02-26 Allow adminstrator teams members to see other teams (#18918) (#18919)Gusted
Allow adminstrator teams members to see other teams (#18918)
2022-02-26Correctly link URLs to users/repos with dashes, dots or underscores (#18890) ↵silverwind
(#18908) * Add tests for references with dashes This commit adds tests for full URLs referencing repos names and user names containing a dash. * Extend regex to match URLs to repos/users with dashes Co-authored-by: Alexander Neumann <62751754+rtpt-alexanderneumann@users.noreply.github.com>
2022-02-26Don't update email for organisation (#18905) (#18906)Gusted
Backport #18905
2022-02-26Fix redirect when using lowercase reponame (#18775) (#18902)Otto Richter (fnetX)
* Previously, `GET {username}/{reponame}/raw///file-path` (the middle two slashes are blank to get the default branch) when the repo name has uppercase letters, e.g., https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware, using a lowercase version of the name redirected to the correct URL * In other words both * `GET https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware/raw///images/back.png` * `GET https://try.gitea.io/AbdulrhmnGhanem/ch330_hardware/raw///images/back.png` were redirecting to ` GET https://try.gitea.io/AbdulrhmnGhanem/CH330_Hardware/raw/branch/master/images/back.png` This isn't the case after #17551. Specifically because of this [line](https://github.com/zeripath/gitea/blob/cbd5eecd148dfca5fcb1a3da469e491a84f6b32b/modules/context/repo.go#L860). Co-authored-by: Ghanem <37152329+AbdulrhmnGhanem@users.noreply.github.com>
2022-02-25Fix team management UI (#18887)Lunny Xiao
2022-02-25Fix migration v210 (#18893)Lunny Xiao
2022-02-25BeforeSourcePath should point to base commit (#18880)Jimmy Praet
2022-02-24Add changelog for v1.16.2 (#18840)v1.16.2Lunny Xiao
Add changelog for v1.16.2 Co-authored-by: 6543 <6543@obermui.de>
2022-02-24Fix ldap user sync missed email in email_address table (#18786) (#18876)Lunny Xiao
* Fix ldap user sync missed email in email_address table (#18786)
2022-02-24Don't report signal: killed errors in serviceRPC (#18850) (#18865)zeripath
Backport #18850 Fix #18849 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-02-24Update assignees check to include any writing team and change org sidebar ↵zeripath
(#18680) (#18873) Backport #18680 Following the merging of #17811 teams can now have differing write and readonly permissions, however the assignee list will not include teams which have mixed perms. Further the org sidebar is no longer helpful as it can't describe these mixed permissions situations. Fix #18572 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-22Fix login with email for ldap users (#18800) (#18836)Lunny Xiao
`authenticator.Authenticate` has assume the login name is not an email, but `username` maybe an email. So when we find the user via email address, we should use `user.LoginName` instead of `username` which is an email address. Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-02-22Fix ldap edit bug (#18859)Lunny Xiao
2022-02-22Fix ldap loginname (#18789) (#18804)Lunny Xiao
* Use email_address table to check user's email when login with email adress * Update services/auth/signin.go * Fix test * Fix test * Fix logging in with ldap username != loginname * Fix if user does not exist yet * Make more clear this is loginName * Fix formatting Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Johan Van de Wauw <johan@gisky.be> Co-authored-by: zeripath <art27@cantab.net>
2022-02-22In disk_channel queues synchronously push to disk on shutdown (#18415) (#18788)zeripath
Partial Backport of #18415 Instead of using an asynchronous goroutine to push to disk on shutdown just close the datachan and immediately push to the disk. Prevents messages of incompletely flushed queues. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-02-21Fix bug for get user by email (#18834)Lunny Xiao
Backport #18833 Fix #18830
2022-02-21Update go-org to 1.6.0 (#18824) (#18839)zeripath
Backport #18824 Fix #14074 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-02-20Show fullname on issue edits and gpg/ssh signing info (#18828)Wim
Co-authored-by: zeripath <art27@cantab.net>
2022-02-20Put buttons back in org dashboard (#18817) (#18825)Lunny Xiao
Backport #18817 Fix #18523
2022-02-20Immediately Hammer if second kill is sent (#18823) (#18826)zeripath
Backport #18823 Currently Gitea will wait for HammerTime or nice shutdown if kill -1 or kill -2 is sent. We should just immediately hammer if there is a second kill. Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-19Fix panic in EscapeReader (#18820) (#18821)zeripath
Backport #18820 There is a potential panic due to a mistaken resetting of the length parameter when multibyte characters go over a read boundary. Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-17remove redundant call to UpdateRepoStats during migration (#18591) (#18794)singuliere
There is no need to call UpdateRepoStats in the InsertIssues and InsertPullRequests function. They are only called during migration by the CreateIssues and CreateReviews methods of the gitea uploader. The UpdateRepoStats function will be called by the Finish method of the gitea uploader after all reviews and issues are inserted. Calling it before is therefore redundant and the associated SQL requests are not cheap. The statistics tests done after inserting an issue or a pull request are also removed. They predate the implementation of UpdateRepoStats, back when the calculation of the statistics was an integral part of the migration function. The UpdateRepoStats is now tested independantly and these tests are no longer necessary. Signed-off-by: singuliere <singuliere@autistici.org> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-02-17Allow mermaid render error to wrap (#18791)silverwind
2022-02-16Attempt to fix the webauthn migration again - part 3 (#18770) (#18771)zeripath
Backport #18770 v208.go is seriously broken as it misses an ID() check. We need to no-op and remigrate all of the u2f keys. See #18756 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-16Fix template bug of LFS lock (#18784) (#18787)Lunny Xiao
Backport #18784 Fix #18782