Required for backport of v15 security fixes w/ test automation, this is
a partial cherry-pick of 5589182c54.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9906
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Co-authored-by: Nils Philippsen <nilsph@noreply.codeberg.org>
Co-committed-by: Nils Philippsen <nilsph@noreply.codeberg.org>
It was possible to hijack attachments during update and create functions
to another owner as permissions to check they weren't already attached
to another resource and wasn't checked if it belonged to the repository
that was being operated on.
**Backport:** #10686
(cherry picked from commit 270317a3ad)
```
NAME:
forgejo doctor cleanup-commit-status - Cleanup extra records in commit_status table
USAGE:
forgejo doctor cleanup-commit-status
DESCRIPTION:
Forgejo suffered from a bug which caused the creation of more entries in the
"commit_status" table than necessary. This operation removes the redundant
data caused by the bug. Removing this data is almost always safe.
These reundant records can be accessed by users through the API, making it
possible, but unlikely, that removing it could have an impact to
integrating services (API: /repos/{owner}/{repo}/commits/{ref}/statuses).
It is safe to run while Forgejo is online.
On very large Forgejo instances, the performance of operation will improve
if the buffer-size option is used with large values. Approximately 130 MB of
memory is required for every 100,000 records in the buffer.
Bug reference: https://codeberg.org/forgejo/forgejo/issues/10671
OPTIONS:
--help, -h show help
--custom-path string, -C string Set custom path (defaults to '{WorkPath}/custom')
--config string, -c string Set custom config file (defaults to '{WorkPath}/custom/conf/app.ini')
--work-path string, -w string Set Forgejo's working path (defaults to the directory of the Forgejo binary)
--verbose, -V Show process details
--dry-run Report statistics from the operation but do not modify the database
--buffer-size int Record count per query while iterating records; larger values are typically faster but use more memory (default: 100000)
--delete-chunk-size int Number of records to delete per DELETE query (default: 1000)
```
The cleanup effectively performs `SELECT * FROM commit_status ORDER BY repo_id, sha, context, index, id`, and iterates through the records. Whenever `index, id` changes without the other fields changing, then it's a useless record that can be deleted. The major complication is doing that at scale without bringing the entire database table into memory, which is performed through a new iteration method `IterateByKeyset`.
Manually tested against a 455,303 record table in PostgreSQL, MySQL, and SQLite, which was reduced to 10,781 records, dropping 97.5% of the records.
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10783
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
`GPGKeyToEntity` incorrectly assumed that within a keyring with multiple
keys that the first key is verified and should be exported. Look at all
keys and find the one that matches the verified key ID.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [go](https://go.dev/) ([source](https://github.com/golang/go)) | toolchain | minor | `1.24.6` -> `1.25.3` |
| [go](https://go.dev/) ([source](https://github.com/golang/go)) | golang | minor | `1.24` -> `1.25` |
---
> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTIuOSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Mi45IiwidGFyZ2V0QnJhbmNoIjoidjExLjAvZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9821
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
**Backport:** #9773
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9775): <!--number 9775 --><!--line 0 --><!--description Zml4OiBzdHJpY3QgZXJyb3IgaGFuZGxpbmcgb24gY29ycnVwdGVkIERCIG1pZ3JhdGlvbiB0cmFja2luZyB0YWJsZXM=-->fix: strict error handling on corrupted DB migration tracking tables<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9775
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9504
With forgejo/forgejo#9075 the `GetUserByEmail` now actually only used activated emails. This however broke sending recovery mails to unactivated users, as their email are not yet activated.
Use the newly introduced function `GetUserByEmailSimple` to not care about this activated email requirement and also avoid the no-reply address being a valid email address for this functionality.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9516
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9362
Do not display the title of unsubscribed issues or pull requests in the notification web page . The title of some random issues or pull requests from repositories were accidentally displayed in the notifications of a user. It was a rare occurrence, caused by an incorrect comparison of two unrelated unique identifiers that are unlikely to match (the id of the notification and the id of a repository). If the issue or the pull request belonged to a private repository to which the user had no read access, only the title was leaked. The user was denied permission to view the issue or the pull request when clicking on the link displayed in the notifications web page.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9362): <!--number 9362 --><!--line 0 --><!--description RG8gbm90IGRpc3BsYXkgdGhlIHRpdGxlIG9mIHVuc3Vic2NyaWJlZCBpc3N1ZXMgb3IgcHVsbCByZXF1ZXN0cyBpbiB0aGUgbm90aWZpY2F0aW9uIHdlYiBwYWdlIC4gVGhlIHRpdGxlIG9mIHNvbWUgcmFuZG9tIGlzc3VlcyBvciBwdWxsIHJlcXVlc3RzIGZyb20gcmVwb3NpdG9yaWVzIHdlcmUgYWNjaWRlbnRhbGx5IGRpc3BsYXllZCBpbiB0aGUgbm90aWZpY2F0aW9ucyBvZiBhIHVzZXIuIEl0IHdhcyBhIHJhcmUgb2NjdXJyZW5jZSwgY2F1c2VkIGJ5IGFuIGluY29ycmVjdCBjb21wYXJpc29uIG9mIHR3byB1bnJlbGF0ZWQgdW5pcXVlIGlkZW50aWZpZXJzIHRoYXQgYXJlIHVubGlrZWx5IHRvIG1hdGNoICh0aGUgaWQgb2YgdGhlIG5vdGlmaWNhdGlvbiBhbmQgdGhlIGlkIG9mIGEgcmVwb3NpdG9yeSkuIElmIHRoZSBpc3N1ZSBvciB0aGUgcHVsbCByZXF1ZXN0IGJlbG9uZ2VkIHRvIGEgcHJpdmF0ZSByZXBvc2l0b3J5IHRvIHdoaWNoIHRoZSB1c2VyIGhhZCBubyByZWFkIGFjY2Vzcywgb25seSB0aGUgdGl0bGUgd2FzIGxlYWtlZC4gVGhlIHVzZXIgd2FzIGRlbmllZCBwZXJtaXNzaW9uIHRvIHZpZXcgdGhlIGlzc3VlIG9yIHRoZSBwdWxsIHJlcXVlc3Qgd2hlbiBjbGlja2luZyBvbiB0aGUgbGluayBkaXNwbGF5ZWQgaW4gdGhlIG5vdGlmaWNhdGlvbnMgd2ViIHBhZ2Uu-->Do not display the title of unsubscribed issues or pull requests in the notification web page . The title of some random issues or pull requests from repositories were accidentally displayed in the notifications of a user. It was a rare occurrence, caused by an incorrect comparison of two unrelated unique identifiers that are unlikely to match (the id of the notification and the id of a repository). If the issue or the pull request belonged to a private repository to which the user had no read access, only the title was leaked. The user was denied permission to view the issue or the pull request when clicking on the link displayed in the notifications web page.<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9363
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9075
Only validated emails can be used to:
- assert if a signature can be trusted or,
- to assign comments, issues to an existing user during a migration
The emails that were not yet validated could previously used as if they were validated, incorrectly showing commits as trusted or assigning comments, issues to the user associated with this email during migrations.
Existing migrations are not modified when they were incorrectly assigned to an email that is not validated. The trust status of all commit signatures will now show differently depending on the validation status of an email.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9075): <!--number 9075 --><!--line 0 --><!--description ZW5zdXJlIEdldFVzZXJCeUVtYWlsIG9ubHkgY29uc2lkZXJzIHZhbGlkYXRlZCBlbWFpbHM=-->ensure GetUserByEmail only considers validated emails<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9084
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport: https://codeberg.org/forgejo/forgejo/pulls/9064**
It is no longer possible to specify the user and password when providing a URL for migrating a repository, the fields dedicated to that purpose on the form must be used instead. This is to prevent that those credentials are displayed in the repository settings that are visible by the repository admins, in the case where the migration is a mirror.
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9065
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
**Backport: https://codeberg.org/forgejo/forgejo/pulls/8189**
This is a clean cherry-pick codewise. There was a minor conflict to resolve in the tests:
```
Conflicts:
tests/integration/patch_status_test.go
the test file did not exist at all in v11 and was added as is with
one exception: `ObjectFormat: optional.Some("sha256"),` was
commented out.
```
---
Automerge can be ignored when the following race happens:
* Conflict check is happening on a repository and
`pr.Status = issues_model.PullRequestStatusChecking` for all open pull
requests (this happens every time a pull request is merged).
* While the conflict check is ongoing, an event (Forgejo Actions being
successful for instance) happens and and `StartPRCheckAndAutoMerge*` is called.
* Because `pr.CanAutoMerge()` is false, the pull request is not
selected and not added to the automerge queue.
* When the conflict check completes and `pr.CanAutoMerge()` becomes
true, there no longer is a task in the auto merge queue and the
auto merge does not happen.
This is fixed by adding a task to the auto merge queue when the conflict check for a pull request completes. This is done when the mutx protecting the conflict check task is released to prevent a deadlock when a synchronous queues are used in the following situation:
* the conflict check task finds the pull request is mergeable
* it schedules the auto merge tasks that finds it must be merged
* merging concludes with scheduling a conflict check task
Avoid an extra loop where a conflict check task queues an auto merge task that will schedule a conflict check task if the pull request can be merged. The auto merge row is removed from the database before merging. It would otherwise be removed after the merge commit is received via the git hook which happens asynchronously and can lead to a race.
StartPRCheckAndAutoMerge is modified to re-use HeadCommitID when available, such as when called after a pull request conflict check.
---
A note on tests: they cover the new behavior, i.e. automerge being triggered by a successful conflict check. This is also on the critical paths for every test that involve creating, merging or updating a pull request.
- `tests/integration/git_test.go`
- `tests/integration/actions_commit_status_test.go`
- `tests/integration/api_helper_for_declarative_test.go`
- `tests/integration/patch_status_test.go`
- `tests/integration/pull_merge_test.go`
The [missing fixture file](https://codeberg.org/forgejo/forgejo/pulls/8189/files#diff-b86fdd79108b3ba3cb2e56ffcfd1be2a7b32f46c) for the auto merge table can be verified to be necessary simply by removing it an observing that the integration tests fail.
The [scheduling of the auto merge task](https://codeberg.org/forgejo/forgejo/pulls/8189/files#diff-9489262e93967f6bb2db41837f37c06f4e70d978) in `testPR` can be verified to be required by moving it in the `testPRProtected` function and observing that the tests hang forever because of the deadlock.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8189): <!--number 8189 --><!--line 0 --><!--description ZG8gbm90IGlnbm9yZSBhdXRvbWVyZ2Ugd2hpbGUgYSBQUiBpcyBjaGVja2luZyBmb3IgY29uZmxpY3Rz-->do not ignore automerge while a PR is checking for conflicts<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8456
Reviewed-by: Lucas <sclu1034@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
**Backport of** https://codeberg.org/forgejo/forgejo/pulls/8258, cherry picked from commit cee2aae4ca
Manual adjustments:
- rename the migration file from `v36` to `v29`
- added the `//nolint:revive`
---
Closes#8119, follow-up of #8234 (**backported in #8237**)
## Testing
- go to a commit before #8234 (e.g.
285f66b782)
- create 3 repositories
- save the wiki settings of the second, without any change
- set the wiki of the third to be globally writable
- verify the `default_permissions` column in the database, of the unit
`5`: 0, 2, 3
- stop Forgejo, switch to this PR and start Forgejo
- verify that the logs writes `Migration[35]: Fix wiki unit default
permission`
- verify the `default_permissions` column in the database, of the unit
`5`: 0, 0, 3
Before:
After:
- [x] I did not document these changes and I do not expect someone else
to do it.
- [x] I do not want this change to show in the release notes.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8445
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8367
- Right before the call to user email activation, the user is updated [^1]. This causes the email to be lowered, which in turn makes the call to activate the user activation fail (on database where collation is case sensitive, which is the recommend collation by Forgejo).
- The code in `BeforeUpdate` is quite confusing, the comment has become slightly out of date and was reworded to reflect reality and its purpose. The code is also slightly reworked to only lower the email for the `AvatarEmail` field to avoid causing side-effect.
- Added unit test.
- Resolvesforgejo/forgejo#8354
[^1]: 4927d4ee3d/routers/web/auth/auth.go (L785)
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8385
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8094
- Include organisations with visibility of limited if the visitor is signed in.
- Resolvesforgejo/forgejo#8093
- Added unit test.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8095
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8021
The following will trigger a XORM warning:
```
type Repository struct {
ID int64 `xorm:"pk autoincr"`
Topics []string `xorm:"TEXT JSON NOT NULL"`
}
```
that looks like:
```
[W] Table repository Column topics db default is '', struct default is
```
it cannot be resolved because:
- SQLite requires a default when there is a NOT NULL
- MySQL forbids a default for TEXT
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8022
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7987
- If a review was requested from a deleted team, use the ghost team for the comment aggregator.
- ResolvesCodeberg/Community#1952
- Unit test added.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8000
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7976
- Expired artifacts are kept in the database but the artifact has been deleted from the storage. Ignore them for the quota calculation.
- Added unit test.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7985
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7817
When using an oauth provider for login, we can't always make sure that only supported characters are included in the name. Therefore there exist normalization rules for the username. In German some names contain the `ß` letter which usually gets replaces by `ss`. Therfore I added this to the `customCharsReplacement` list.
Without this fix, the user get's un undescriptive internal server error and the log states `CreateUser: name is invalid [<name>]: must be valid alpha or numeric or dash(-_) or dot characters`.
Co-authored-by: Daniel Kilimnik <daniel@neodyme.io>
Co-authored-by: Otto <otto@codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7821
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7640
Currently, if you have a mirrored repo, the button on the "branches"
page to create a new branch is available to be pressed. Once you name
your new branch and click submit, you get a 404 page that doesn't explain
what went wrong.
As new branch creation is not supported on mirrored repos, let's just
take that button away if the repo is a mirror. This is already done for
archived repos, so we just need to add another check.
Fixes#7639.
Co-authored-by: John Moon <john.moon@vts-i.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7869
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7773
- I was not able to find a reasoning in the pull request (https://github.com/go-gitea/gitea/pull/9784) for the existence of this `time.Sleep`. The best I could come up with during manual testing is that there's a brief moment where 'this pull request is missing fork information' is shown, this was caused by an incorrect condition.
- Added integration test.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7774
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
- Currently during external login (such as OAuth2), if the user is
enrolled into Webauthn and not enrolled into TOTP then no 2FA is being
done during external login and when account linking is set to `auto` then
also during automatic linking. This results in bypassing the 2FA of the
user.
- Create a new unified function that checks if the user is enrolled into
2FA and use this when necessary. Rename the old `HasTwoFactorByUID`
function to `HasTOTPByUID` which is a more appropiate naming.
(cherry picked from commit df5d656827)
Conflicts:
the original commit was trimmed down to be fit for backport
**Backport:** #7715
- Replaces `github.com/go-testfixtures/testfixtures` with a homebrew solution that is fully compatible.
- The reason to replace this library is that it pulls in a lot of other libraries which is causing issues: (1) the test binary becomes bigger than necessary which really shows in incremental build times (this patch removes 27.6MiB of the integration test binary) (2) it pulls in libraries (mainly database drivers) that are not used and are not easy to upgrade in case of a security vulnerability, causing CI failures.
(cherry picked from commit 32e64ccd34)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7729
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7648
The only parameter that is ever used is a single directory, make it that only instead of a more complex option structure.
Remove tests.AddFixtures that was the simpler form because it is now redundant.
---
Backporting to v11.0 will help with automated backporting of bug fixes in need of custom made fixtures.
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7649
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7543
If not a migration will show a warning:
`[W] Table public.package_blob column hash_blake2b db type is VARCHAR(255), struct type is CHAR(128)`
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7544
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7520
- When looking for an existing blob, has_blake2b will be null when it was created prior to v26 migration in v11, when the field was introduced.
- Add unit test and minimal refactoring to load fixtures. The AddFixture function should not be where it currently is because it cannot be used by some packages (circular import). But that's a refactor that needs to be elsewhere for backporting purposes.
Fixes https://codeberg.org/forgejo/forgejo/issues/7519
When the fix is missing, the test fails like so:
```
--- FAIL: TestPackagesGetOrInsertBlob (0.03s)
--- FAIL: TestPackagesGetOrInsertBlob/exists_and_blake2b_is_null_in_the_database (0.00s)
package_blob_test.go:55:
Error Trace: /home/earl-warren/software/forgejo/models/packages/package_blob_test.go:55
Error: Not equal:
expected: true
actual : false
Test: TestPackagesGetOrInsertBlob/exists_and_blake2b_is_null_in_the_database
package_blob_test.go:56:
Error Trace: /home/earl-warren/software/forgejo/models/packages/package_blob_test.go:56
Error: Expected value not to be nil.
Test: TestPackagesGetOrInsertBlob/exists_and_blake2b_is_null_in_the_database
```
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7521
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
- Add the necessary branch row for the workflow repository. This is required for the dashboard search to return any commit status for the default branch.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7338
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Consider the following scenario: a private repository in an organization with a team that has no specific access to that repository. Members of that team are still able to visit the repository because of entries in the `access` table.
- Consider this specific scenario for the gathering of issues for project tables.
- Unit test added
- Resolvesforgejo/forgejo#7217
- Ref: forgejo/forgejo#6843
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Failing the migration when a corrupted record is found is problematic because there is no transaction and the database may need to be restored from a backup to attempt the migration again, after deleting the corrupted records.
Each documented case of failed migration was resolved by removing the corrupted records. There is no instance of a failed migration that was caused by non corrupted record.
In the unlikely event of a false negative where a two_factor record is discarded although it is in use, the only consequence is that the user will have to enroll again. Detailed logs are displayed so the Forgejo admin can file a bug report if that happens.
Refs: https://codeberg.org/forgejo/forgejo/issues/6637
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/7251): <!--number 7251 --><!--line 0 --><!--description V2hlbiBtaWdyYXRpbmcgdG8gRm9yZ2VqbyB2MTAsIHRoZSBUT1RQIHNlY3JldHMgZm91bmQgdG8gYmUgY29ycnVwdGVkIGFyZSBub3cgdHJhbnNwYXJlbnRseSByZW1vdmVkIGZyb20gdGhlIGRhdGFiYXNlIGluc3RlYWQgb2YgZmFpbGluZyB0aGUgbWlncmF0aW9uLiBUT1RQIGlzIG5vIGxvbmdlciByZXF1aXJlZCB0byBsb2dpbiB3aXRoIHRoZSBhc3NvY2lhdGVkIHVzZXJzLiBUaGV5IHNob3VsZCBiZSBpbmZvcm1lZCBiZWNhdXNlIHRoZXkgd2lsbCBuZWVkIHRvIHZpc2l0IHRoZWlyIHNlY3VyaXR5IHNldHRpbmdzIGFuZCBjb25maWd1cmUgVE9UUCBhZ2Fpbi4gTm8gb3RoZXIgYWN0aW9uIGlzIHJlcXVpcmVkLg==-->When migrating to Forgejo v10, the TOTP secrets found to be corrupted are now transparently removed from the database instead of failing the migration. TOTP is no longer required to login with the associated users. They should be informed because they will need to visit their security settings and configure TOTP again. No other action is required.<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7251
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
- `releasesToFeedItems` is called to convert release structs to feed items, which is then used to render RSS or Atom feeds.
- Optimize the loading of attributes for the releases, introduce `ReleaseList` type which uses caching to load repository and publishers. It also no longer loads release attachments and downloads counts as that is not used in feed items.
- Optimize the composing of meta by introducing caching, this operation is especially slow when the owner is an organization.
- Add unit test (ensures new `LoadAttributes` works correctly).
- Add integration test (ensures that feed output is still as expected).
Loading https://codeberg.org/forgejo/forgejo/releases.rss reduced from ~15s to ~1s. (It is currently is deployed on codeberg.org)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7221
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- `ComposeMetas` is called to compose meta information for the markdown processer (which is called a lot), one of those information is the team names that have access to the repository. This is used to decide if a mention is a team mention or not.
- The SQL query sorts the names, this is unnecessary and not required for within the processer; it does a simple `strings.Contains(teams, ","+teamName+",")`, which doesn't rely on sorted values.
- Doing the SQL query with sorting against Codeberg's MariaDB took ~0.180s and without sorting took ~0.03s. Although the returned values are often a few rows (the query I tested returned 8 values) it seems that doing any sorting will create an temporary index and is mainly optimized where it has to sort a huge amount of rows.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7223
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
- Add the ability to regenerate existing access tokens in the UI. This preserves the ID of the access token, but generates a new salt and token contents.
- Integration test added.
- Unit test added.
- Resolves#6880
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6963
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com>
Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com>
## Dropping SSPI auth support
SSPI authentication relied on Microsoft Windows support, removal started in https://codeberg.org/forgejo/forgejo/pulls/5353, because it was broken anyway. We have no knowledge of any users using SSPI authentication. However, if you somehow managed to run Forgejo on Windows, or want to upgrade from a Gitea version which does, please ensure that you do not use SSPI as an authentication mechanism for user accounts. Feel free to reach out if you need assistance.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7148
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Otto Richter <otto@codeberg.org>
Co-committed-by: Otto Richter <otto@codeberg.org>
- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- ResolvesCodeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7143
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Closes: https://codeberg.org/forgejo/forgejo/issues/6042
Continuation of: https://codeberg.org/forgejo/forgejo/pulls/6284
Replaces: https://codeberg.org/forgejo/forgejo/pulls/6285
Context: https://codeberg.org/forgejo/forgejo/pulls/6284#issuecomment-2518599
Create a new type of comment: `CommentTypeAggregator`
Replaces the grouping of labels and review request in a single place: the comment aggregator
The whole list of comments is "scanned", if they can get aggregated (diff of time < 60secs, same poster, open / close issue, add / del labels, add /del review req), they are added to the aggregator.
Once needed, the list of all the aggregated comments are replaced with a single aggregated comment containing all the data required.
In templates, have a specific HTML rendering part for the comment aggregator, reuse the same rendering as with the other types of comments.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6523
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Litchi Pi <litchi.pi@proton.me>
Co-committed-by: Litchi Pi <litchi.pi@proton.me>
