While trying to understand #1236, I was quite confused not to see the `Use Custom URLs` checkbox.
This checkbox disappeared in b95a893b22 (because `getElementById` does not expect a `#` as first char), fixed in 4e816e1326.
After solving this, switching from `Nextcloud` to `OpenID Connect` triggered a JS error, which is addressed in 3efa4d836a.
Manual testing:
- go to http://localhost:3000/admin/auths
- click on `Add authentication source`
- Choose `Authentication type`: `OAuth2`
- Choose `OAuth2 provider`: `Nextcloud`
- check that the `Use Custom URLs Instead of Default URLs` checkbox toggles the fields below
- let the checkbox be checked
- Switch the `OAuth2 provider` to `OpenID Connect`
- ensure that no JS error is shown
- Switch the `OAuth2 provider` to `Mastodon`
- check that the fields below `Use Custom URLs Instead of Default URLs` have the right defaults (mastodon.social)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4059
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
(cherry picked from commit 82ae7460bf)
Fix adopt repository has empty object name in database (#31333)
Fix#31330Fix#31311
A workaround to fix the old database is to update object_format_name to
`sha1` if it's empty or null.
(cherry picked from commit 1968c2222dcf47ebd1697afb4e79a81e74702d31)
With tests services/repository/adopt_test.go
(cherry picked from commit 8efef06fb1)
Currently this string has different amount of placeholders in v8 and v7 because https://codeberg.org/forgejo/forgejo/pulls/3837 was not backported to v7.
### The problem
This string is currently [not translated](https://translate.codeberg.org/translate/forgejo/forgejo/en/?checksum=405b09ee2c2371d4) in every language. For example, when UI is in Slovenian, it would be in English.
But if someone translates it into Slovenian, it will be something like `Posodobljen %s`. Then we merge the Weblate PR, @forgejo-backport-action creates a backport and we forget to check this backport for presence of `repo_updated`. We ship this as a point release of our LTS v7, and then Slovenian users will literally see `Posodobljen %s` in the UI instead of `Posodobljen včeraj`.
By renaming this key in v7 we protect it from these kinds of regressions.
### Test
Go to Explore, look at repo entries, they should contain relative time.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4117
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
This Fixes#3962 by adding `!important` to the margin of the heading in the rendered markdown.
In the current behaviour, the margin-top was always overridden by a global css-rule. This is prevented by this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4076
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
(cherry picked from commit 187860bded)
Also convert a comment into a warning in the logs when the deletion of
an artifact cannot find the file in the destination storage.
The case were an error happens while deleting the file is not covered
as it would require to mock the storage.Copy function.
(cherry picked from commit e759794408)
Change the copy to use `ActionsArtifact.StoragePath` instead of the
`ArtifactPath`. Skip artifacts that are expired, and don't error if the
file to copy does not exist.
---
When trying to migrate actions artifact storage from local to MinIO, we
encountered errors that prevented the process from completing
successfully:
* The migration tries to copy the files using the per-run
`ArtifactPath`, instead of the unique `StoragePath`.
* Artifacts that have been marked expired and had their files deleted
would throw an error
* Artifacts that are pending, but don't have a file uploaded yet will
throw an error.
This PR addresses these cases, and allow the process to complete
successfully.
(cherry picked from commit 8de8972baf5d82ff7b58ed77d78e8e1869e64eb5)
(cherry picked from commit 4afbfd3946)
Backport #31188
Fixes issue when running `choco info pkgname` where `pkgname` is also a
substring of another package Id.
Relates to #31168
---
This might fix the issue linked, but I'd like to test it with more choco
commands before closing the issue in case I find other problems if
that's ok.
I'm pretty inexperienced with Go, so feel free to nitpick things.
Not sure I handled
[this](70f87e11b5/routers/api/packages/nuget/nuget.go (L135-L137))
in the best way, so looking for feedback on if I should fix the
underlying issue (`nil` might be a better default for `Value`?).
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit ca414a7ccf5e26272662e360c44ac50221a0f2d4)
Backport #31204 by @silverwind
Using `.segment` on the project columns is a major abuse of that class,
so remove it and instead set the border-radius directly on it.
Fixes: https://github.com/go-gitea/gitea/issues/31129
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 298d05df3b79634a0364926f34fb02b73d442c31)
Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.
Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9c8c9ff6d10b35de8d2d7eae0fc2646ad9bbe94a)
(cherry picked from commit 07fe5a8b13)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).
As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),
> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.
With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).
Fixes#25061.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
See:
1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client
(cherry picked from commit 592469464b)
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.
Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)
Conflicts:
go.sum
trivial context conflict
These changes were missed when cherry-picking the following
c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319)
Fixes: https://codeberg.org/forgejo/forgejo/issues/3623
(cherry picked from commit caadd1815a)
If the avatar file in storage does not exist, it is not an error and
the database can be updated.
See 1be797faba Fix bug on avatar
(cherry picked from commit d2c4d833f4)
The avatar must not be unset in the database if there is a failure to
remove the avatar file from storage (file or S3). The two operations
are wrapped in a transaction for that purpose and this test verifies
it is effective.
See 1be797faba Fix bug on avatar
(cherry picked from commit c139efb1e9)
Backport #31174 by @lunny
Fix#31172
The original order or the default order should not be ignored even if we
have an is_deleted order.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit c6176ee59f4a25607dcfbc00757121f705101101)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)
Conflicts:
tests/integration/git_push_test.go
trivial context conflict because of
2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
The right to force merge is uses the wrong predicate and
applies to instance admins:
ctx.user.IsAdmin
It must apply to repository admins and use the following predicate:
ctx.userPerm.IsAdmin()
This regression is from the ApplyToAdmins implementation in
79b7089360.
Fixes: https://codeberg.org/forgejo/forgejo/issues/3780
(cherry picked from commit 09f3518069)
This exception existed for both instance admins and repo admins
before ApplyToAdmins was introduced in
79b7089360.
It should have been kept for instance admins only because they are not
subject to permission checks.
(cherry picked from commit 05f0007437)
Verify variations of branch protection that are in play when merging a
pull request as:
* instance admin
* repository admin / owner
* user with write permissions on the repository
In all cases the result is expected to be the same when merging
the pull request via:
* API
* web
Although the implementations are different.
(cherry picked from commit 793421bf59)
Conflicts:
tests/integration/pull_merge_test.go
trivial context conflict
* group test cases to clarify their purpose
* remove pull request branch protection tests, they are redundant
with TestPullMergeBranchProtect
(cherry picked from commit 0d8478b82e)
Conflicts:
tests/integration/git_test.go
trivial context conflict
