[CVSS 5.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) -- The `/repos/{owner}/{repo}/issues/{index}/dependencies` APIs allow a user to link an issue in one repository as "depending upon" an issue in another repository. Forgejo's implementation had an incorrect permission check which would verify only that the user had write permissions on the issue being modified, and not on the issue it was linking to. Due to the incorrect permission check, it was possible to view limited information (the existence of, and title of) an issue in a private repository that the user does not have access to view. The permission check has been corrected to take into account visibility of the remote repository.
[CVSS 5.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) -- Fetching information about a release via the `/repos/{owner}/{repo}/releases/tag/{tag}` API endpoint did not check whether the release was a draft, allowing accessing to information about a draft release to users who could predict an upcoming release tag but didn't have access to view it. The missing check has been added, returning a 404 response when the release is not published.
[CVSS 6.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- Forgejo's web interface allows deleting tags on a git repository through a form post. The endpoint for this form post had misconfigured middleware handlers which enforce security rights, allowing an anonymous user, or a logged-in user without the correct permissions, to delete tags on repositories that they did not own by injecting arbitrary internal tag identifiers into the form. The middleware handler configuration has been corrected.
[CVSS 2.1 Low](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- When the head branch of a pull request matches a branch protection rule, the head branch should be able to be merged or rebased only according to the "Push" rules defined in the protection rule. An implementation error checked those branch protection rules in the context of the base repository rather than the head repository, allowing users with write access to the base repository to be considered able to push to the branch, bypassing the "Enable push" option's expected security control.
[CVSS 2.1 Low](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- An issue owner can manipulate form inputs to delete the content history of comments they did not create, as long as those comments are on issues that they own. Although comment content is not affected, the history of edits on the comment can be trimmed. The validation in the form handler was corrected.
[CVSS 5.1 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- When a repository is configured with tag protection rules, it should not be possible for a user that is outside the whitelisted users or teams from modifying the protected tags. An incorrect parameter being passed to a security verification method allowed a user with write access to the repo to delete tags even if they were protected, as long as the tag was originally created by a user who is still authorized by the protection rules.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 0 --><!--description Zml4KGFwaSk6IGZpeCBkZXBlbmRlbmN5IHJlcG8gcGVybXMgaW4gQ3JlYXRlL1JlbW92ZUlzc3VlRGVwZW5kZW5jeQ==-->fix(api): fix dependency repo perms in Create/RemoveIssueDependency<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 1 --><!--description Zml4KGFwaSk6IGRyYWZ0IHJlbGVhc2VzIGNvdWxkIGJlIHJlYWQgYmVmb3JlIGJlaW5nIHB1Ymxpc2hlZA==-->fix(api): draft releases could be read before being published<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 2 --><!--description bWlzY29uZmlndXJlZCBzZWN1cml0eSBjaGVja3Mgb24gdGFnIGRlbGV0ZSB3ZWIgZm9ybQ==-->misconfigured security checks on tag delete web form<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 3 --><!--description aW5jb3JyZWN0IGxvZ2ljIGluICJVcGRhdGUgUFIiIGRpZCBub3QgZW5mb3JjZSBoZWFkIGJyYW5jaCBwcm90ZWN0aW9uIHJ1bGVzIGNvcnJlY3RseQ==-->incorrect logic in "Update PR" did not enforce head branch protection rules correctly<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 4 --><!--description aXNzdWUgb3duZXIgY2FuIGRlbGV0ZSBhbm90aGVyIHVzZXIncyBjb21tZW50J3MgZWRpdCBoaXN0b3J5IG9uIHNhbWUgaXNzdWU=-->issue owner can delete another user's comment's edit history on same issue<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 5 --><!--description dGFnIHByb3RlY3Rpb24gcnVsZXMgY2FuIGJlIGJ5cGFzc2VkIGR1cmluZyB0YWcgZGVsZXRlIG9wZXJhdGlvbg==-->tag protection rules can be bypassed during tag delete operation<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10039
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
**Backport:** #9662
Test failure:
```
1) [chromium] › tests/e2e/webauthn.test.e2e.ts:14:1 › WebAuthn register & login flow ─────────────
Error: page.goto: Navigation to "http://localhost:3003/user/login" is interrupted by another navigation to "http://localhost:3003/"
Call log:
- navigating to "http://localhost:3003/user/login", waiting until "load"
46 |
47 | // Login.
> 48 | response = await page.goto('/user/login');
| ^
49 | expect(response?.status()).toBe(200);
50 |
51 | await page.getByLabel('Username or email address').fill(username);
at /workspace/forgejo/forgejo/tests/e2e/webauthn.test.e2e.ts:48:25
```
I have not been able to reproduce this locally.
What seems to be happening is that the current code is clicking the "Sign out" menu option, and then while the browser is busy (navigating to `/logout`, redirecting to `/`), the test attempts to navigate directly to `/user/login`. The two navigations are racey, depending on how fast they work they may result in this error. The proposed fix is to wait for the sign-out operation to complete by waiting for the URL to land on `/`, before then proceeding with the rest of the test with the second login.
Normally this would be *just* a `waitForURL` call. But because of the redirect on logout, I've encountered the below error if the code is just invoking `waitForURL`. So I put the `waitForURL` invocation into an `expect(...).toPass()`. This isn't technically the correct usage of `toPass` which is intended for *assertions* which will eventually become successful, whereas this is attempting to retry a wait... but... a wait shouldn't need a retry. (I'd argue this is a Playwright bug.)
```
Error: page.waitForURL: net::ERR_ABORTED; maybe frame was detached?
```
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9662
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9673
Reviewed-by: Otto <otto@codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9504
With forgejo/forgejo#9075 the `GetUserByEmail` now actually only used activated emails. This however broke sending recovery mails to unactivated users, as their email are not yet activated.
Use the newly introduced function `GetUserByEmailSimple` to not care about this activated email requirement and also avoid the no-reply address being a valid email address for this functionality.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9516
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9468
If the keep count of a cleanup rule is greater than the number of available packages, it fails with:
```
panic(boundsError{x: int64(x), signed: true, y: y, code: boundsSliceB})
.../packages/packages.go:175
.../routers/web/org/setting_packages.go:108
```
Regression of https://codeberg.org/forgejo/forgejo/pulls/9219/files
Refs https://codeberg.org/forgejo/forgejo/issues/9461
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9468): <!--number 9468 --><!--line 0 --><!--description cGFja2FnZSBjbGVhbmVkIHJ1bGUgZmFpbHMgaWYgdGhlIGtlZXAgY291bnQgaXMgdG9vIGhpZ2g=-->package cleaned rule fails if the keep count is too high<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9469
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
backport of #9219
---
Before it has only processed the newest 200 (or 50 for default `MAX_RESPONSE_ITEMS: 50`) versions.
After it processes all versions.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9219
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>
(cherry picked from commit c697de9517)
Conflicts:
tests/integration/api_packages_test.go
Trivial import conflict and missing helper addition
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9232): <!--number 9232 --><!--line 0 --><!--description Zml4OiBwYWNrYWdlIGNsZWFudXAgcnVsZXMgYXJlIG5vdCBhcHBsaWVkIHdoZW4gdGhlcmUgYXJlIG1vcmUgdGhhbiAyMDAgcGFja2FnZXMgKGRlcGVuZHMgb24gYE1BWF9SRVNQT05TRV9JVEVNU2ApICgjOTIxOSk=-->fix: package cleanup rules are not applied when there are more than 200 packages (depends on `MAX_RESPONSE_ITEMS`) (#9219)<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9232
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9241
AssertExistsAndLoadBean has a side effect on its argument. When retrying in a loop, it must use the non modified argument, otherwise it is bound to return the same row as the first failure and render the retry useless.
Refs forgejo/forgejo#9236
---
Without this fix it fails 100% of the time locally on testify v1.11 because it runs the test before waiting https://github.com/stretchr/testify/pull/1427
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9242
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9071
All PUT/DELETE routes in the web UI are validated to prevent a [cross site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9071): <!--number 9071 --><!--line 0 --><!--description dmFsaWRhdGUgQ1NSRiBvbiBub24tc2FmZSBtZXRob2Rz-->validate CSRF on non-safe methods<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9081
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9070
Obtaining a [personal access token via the API](https://forgejo.org/docs/latest/user/api-usage/#generating-and-listing-api-tokens) is no longer possible if the password used for basic authentication is an API token or an [OAuth2 token](https://forgejo.org/docs/latest/user/api-usage/#oauth2-provider): it has to be the user password. Such privilege escalation was only possible for tokens with write permissions to the user.
This requirement is already enforced when API calls are made with an authorization header [as described in the documentation](https://forgejo.org/docs/latest/user/api-usage/#authentication), but it was not enforced with basic authentication. As a consequence it was possible for an API token with `write:user` permissions or an OAuth2 token to obtain a new token with a wider or identical scope.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9070): <!--number 9070 --><!--line 0 --><!--description cmVxdWlyZSBwYXNzd29yZCBsb2dpbiBmb3IgY3JlYXRpb24gb2YgbmV3IHRva2Vu-->require password login for creation of new token<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9079
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport: https://codeberg.org/forgejo/forgejo/pulls/9064**
It is no longer possible to specify the user and password when providing a URL for migrating a repository, the fields dedicated to that purpose on the form must be used instead. This is to prevent that those credentials are displayed in the repository settings that are visible by the repository admins, in the case where the migration is a mirror.
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9065
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8678
- Even though the test file contains some good extensive testing, it didn't bother to actually call `/login/oauth/access_token` to see if the received code actually resulted into a access token.
- The fix itself is... well yeah self-explanatory.
- Resolvesforgejo/forgejo#8669
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8678): <!--number 8678 --><!--line 0 --><!--description c3RvcmUgY29kZSBjaGFsbGVuZ2UgY29ycmVjdGx5IGluIHNlc3Npb24=-->store code challenge correctly in session<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8974
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8611
As far as I can see and tell, the newest webkit version contains a regression that makes this specific test fail. The screenshots that are uploaded upon failure do not seem to suggest that this test should fail.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8614
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8460
- I cannot give a good rationale why Mobile Safari and webkit is failing this test quite consistently and also succeed quite often. We add a script to ensure that we get a mismatched URL - but these two browsers either ignore this script sometime or delays the execution until after the root URL check is done.
- Because it is very hard to run webkit and mobile safari without running a heavily containerized environment (without a graphical interface) it is near impossible to debug this issue properly; save ourselves a headache and disable it instead. I find it more likely to be a problem with my playwright test than it to be a problem with the mismatched root URL code.
- Ref forgejo/forgejo#8359
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8465
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8461
- In `test.beforeEach` the browser is navigated to `/user2/repo1/pulls/5` and the test environment is prepared by making sure the pull request is not WIP. At the start of `simple toggle` the browser is navigated to the same URL (and the browser is already on this URL) which the Mobile Chrome browser does not handle gracefully and reliably errors with `net::ERR_ABORTED`.
- Because we are already at that URL, do not try to navigate to it again.
- I cannot offer a rationale why the Mobile Chrome browser does give a error when this happens in subsequent tests of 'Pull: Toggle WIP'.
- Ref forgejo/forgejo#8359
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8462
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport: https://codeberg.org/forgejo/forgejo/pulls/8189**
This is a clean cherry-pick codewise. There was a minor conflict to resolve in the tests:
```
Conflicts:
tests/integration/patch_status_test.go
the test file did not exist at all in v11 and was added as is with
one exception: `ObjectFormat: optional.Some("sha256"),` was
commented out.
```
---
Automerge can be ignored when the following race happens:
* Conflict check is happening on a repository and
`pr.Status = issues_model.PullRequestStatusChecking` for all open pull
requests (this happens every time a pull request is merged).
* While the conflict check is ongoing, an event (Forgejo Actions being
successful for instance) happens and and `StartPRCheckAndAutoMerge*` is called.
* Because `pr.CanAutoMerge()` is false, the pull request is not
selected and not added to the automerge queue.
* When the conflict check completes and `pr.CanAutoMerge()` becomes
true, there no longer is a task in the auto merge queue and the
auto merge does not happen.
This is fixed by adding a task to the auto merge queue when the conflict check for a pull request completes. This is done when the mutx protecting the conflict check task is released to prevent a deadlock when a synchronous queues are used in the following situation:
* the conflict check task finds the pull request is mergeable
* it schedules the auto merge tasks that finds it must be merged
* merging concludes with scheduling a conflict check task
Avoid an extra loop where a conflict check task queues an auto merge task that will schedule a conflict check task if the pull request can be merged. The auto merge row is removed from the database before merging. It would otherwise be removed after the merge commit is received via the git hook which happens asynchronously and can lead to a race.
StartPRCheckAndAutoMerge is modified to re-use HeadCommitID when available, such as when called after a pull request conflict check.
---
A note on tests: they cover the new behavior, i.e. automerge being triggered by a successful conflict check. This is also on the critical paths for every test that involve creating, merging or updating a pull request.
- `tests/integration/git_test.go`
- `tests/integration/actions_commit_status_test.go`
- `tests/integration/api_helper_for_declarative_test.go`
- `tests/integration/patch_status_test.go`
- `tests/integration/pull_merge_test.go`
The [missing fixture file](https://codeberg.org/forgejo/forgejo/pulls/8189/files#diff-b86fdd79108b3ba3cb2e56ffcfd1be2a7b32f46c) for the auto merge table can be verified to be necessary simply by removing it an observing that the integration tests fail.
The [scheduling of the auto merge task](https://codeberg.org/forgejo/forgejo/pulls/8189/files#diff-9489262e93967f6bb2db41837f37c06f4e70d978) in `testPR` can be verified to be required by moving it in the `testPRProtected` function and observing that the tests hang forever because of the deadlock.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8189): <!--number 8189 --><!--line 0 --><!--description ZG8gbm90IGlnbm9yZSBhdXRvbWVyZ2Ugd2hpbGUgYSBQUiBpcyBjaGVja2luZyBmb3IgY29uZmxpY3Rz-->do not ignore automerge while a PR is checking for conflicts<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8456
Reviewed-by: Lucas <sclu1034@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8400
- This test is the source of many transient errors https://codeberg.org/forgejo/forgejo/issues/8359#issuecomment-5655557 and is semi-reproducible locally. Any debugging code that is added will result in the error no longer being reproducible, making it hard to say why this is failing.
- It no longer seems necessary to add this `waitForURL` call as Playwright now seems to gracefully handle the case where we want to go to a specific page while playwright might still be navigating to another URL that was initiated by clicking on a button - thus removing the source of the transient error altogether.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8401
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8326
- fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
- add test coverage for both fixes and the underlying function `parseCompareInfo`
- refactor and improve part of the helpers from `tests/integration/api_helper_for_declarative_test.go`
- remove a few wrong or misleading comments
Refs forgejo/forgejo#7978
---
Note that this is a partial backport for reasons explained at https://codeberg.org/forgejo/forgejo/pulls/8326
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
### Documentation
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] I want the title to show in the release notes with a link to this pull request.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8333): <!--number 8333 --><!--line 0 --><!--description Zml4OiBtYWtlIEFQSSAvcmVwb3Mve293bmVyfS97cmVwb30vY29tcGFyZS97YmFzZWhlYWR9IHdvcmsgd2l0aCBmb3Jrcw==-->fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8333
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8234fixes: #8119, replaces #8135
Bug likely introduced in 5eeccecafc
### Tests
- I added test coverage for Go changes in the `tests/integration` directory if it involves interactions with a live Forgejo server.
### Documentation
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8237
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8155
* convert updateRepoUnits to not rely on ctx to retrieve the repo
* Add integration test
* do not activate releases if `wiki: true`. This is unexpected and there is no evidence it is necessary.
Refs https://codeberg.org/forgejo/forgejo/issues/8082
---
The test is minimal for the sake of backporting. It is verified to reproduce the bug if the fix is not present.
```sh
$ make TAGS='sqlite sqlite_unlock_notify' 'test-sqlite#TestAPIRepoMigrate'
...
=== TestAPIRepoMigrate (tests/integration/api_repo_test.go:388)
--- FAIL: TestAPIRepoMigrate (1.12s)
testlogger.go:411: 2025/06/11 17:38:22 ...les/storage/local.go:33:NewLocalStorage() [I] Creating new Local Storage at /home/earl-warren/software/forgejo/tests/gitea-lfs-meta
testlogger.go:411: 2025/06/11 17:38:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for test-mock:12345, 200 OK in 2.1ms @ auth/auth.go:145(auth.SignIn)
testlogger.go:411: 2025/06/11 17:38:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for test-mock:12345, 303 See Other in 2.1ms @ auth/auth.go:179(auth.SignInPost)
testlogger.go:411: 2025/06/11 17:38:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/settings/applications for test-mock:12345, 200 OK in 3.8ms @ setting/applications.go:25(setting.Applications)
testlogger.go:411: 2025/06/11 17:38:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/settings/applications for test-mock:12345, 303 See Other in 5.1ms @ setting/applications.go:35(setting.ApplicationsPost)
testlogger.go:411: 2025/06/11 17:38:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/settings/applications for test-mock:12345, 200 OK in 2.9ms @ setting/applications.go:25(setting.Applications)
testlogger.go:411: 2025/06/11 17:38:23 ...eb/routing/logger.go:102:func1() [I] router: completed POST /api/v1/repos/migrate for test-mock:12345, 0 in 992.0ms @ repo/migrate.go:38(repo.Migrate)
api_repo_test.go:400:
Error Trace: /home/earl-warren/software/forgejo/tests/integration/api_repo_test.go:400
Error: Not equal:
expected: 201
actual : 200
Test: TestAPIRepoMigrate
api_repo_test.go:402:
Error Trace: /home/earl-warren/software/forgejo/tests/integration/integration_test.go:649
/home/earl-warren/software/forgejo/tests/integration/api_repo_test.go:402
Error: Received unexpected error:
EOF
Test: TestAPIRepoMigrate
```
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8155): <!--number 8155 --><!--line 0 --><!--description ZG8gbm90IGZhaWwgd2hlbiByZWxlYXNlIG9yIHdpa2kgaXMgc2V0IGluIGAvcmVwb3MvbWlncmF0ZWAgQVBJ-->do not fail when release or wiki is set in `/repos/migrate` API<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8167
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7640
Currently, if you have a mirrored repo, the button on the "branches"
page to create a new branch is available to be pressed. Once you name
your new branch and click submit, you get a 404 page that doesn't explain
what went wrong.
As new branch creation is not supported on mirrored repos, let's just
take that button away if the repo is a mirror. This is already done for
archived repos, so we just need to add another check.
Fixes#7639.
Co-authored-by: John Moon <john.moon@vts-i.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7869
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7773
- I was not able to find a reasoning in the pull request (https://github.com/go-gitea/gitea/pull/9784) for the existence of this `time.Sleep`. The best I could come up with during manual testing is that there's a brief moment where 'this pull request is missing fork information' is shown, this was caused by an incorrect condition.
- Added integration test.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7774
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Test two scenarios:
1. Account linking is set to `auto` and tries to link against a user who
is enrolled into Webauthn should show 2FA screen.
2. User is already linked and logins via OAuth2 and is enrolled into
WebAuthn should show 2FA screen.
(cherry picked from commit aa4ae81fe0)
- A permission check is done when incoming SSH connections are handled (this is
run before git hooks). If this check is for write access and AGit flow
is supported, then this check is degraded to a read check. The
motivation behind this is that for AGit flow the user does not need
write permissions but only read permissions.
- The `if` condition cannot check if this is for AGit flow, as the Git
protocol has not run yet and thus has to delay this permission check.
This `if` condition failed to consider that this also might be run for
LFS which does not care about AGit flow and would not do a delayed
permission check, so ensure that this degradition only happens when the
`git-receive-pack` command is being run (which roughly equals to `git
push`).
- Clarify code comment.
- Added integration test.
(cherry picked from commit 60c1af244a)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7683
- The OAuthCallback code that is responsible for creating a new user, if one does not exist yet, did not use `[service].ALLOW_ONLY_EXTERNAL_REGISTRATION` as default value for the restricted field of a user.
- Resolvesforgejo/forgejo#7681
- Add integration test.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7688
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7648
The only parameter that is ever used is a single directory, make it that only instead of a more complex option structure.
Remove tests.AddFixtures that was the simpler form because it is now redundant.
---
Backporting to v11.0 will help with automated backporting of bug fixes in need of custom made fixtures.
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7649
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
- The pagination labels 'First', 'Previous', 'Next' and 'Last' are
hidden away when the screen width becomes smaller. However this also
hides them from the screen reader. Instead of using `display: none`, use
some well-known tricks to still make them visible to the screen reader.
- Add E2E test.
- ResolvesCodeberg/Community#1858
(cherry picked from commit b6072496d4)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7594
Fixes https://codeberg.org/forgejo/forgejo/issues/7591
Followup to https://codeberg.org/forgejo/forgejo/pulls/6203
Without the 3rd commit, when this test runs, an error message appears in the logs:
```
[E] Missing translation "incorrect_root_url"
```
With it, it does not. No changes to the actual locale handling are expected and I'm hoping there's enough other testing in place for that.
Reported-by: Paweł Bogusławski <pboguslawski@noreply.codeberg.org>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7599
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7261
- When trying to view a submodule directory via the normal `/src/branch/` path, generate a redirect link to the submodule location.
- Resolvesforgejo/forgejo#5267
Co-authored-by: Gnarwhal <git.aspect893@passmail.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7450
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7395
- Add `binding:"In(...)"` to the `default_merge_style` and `default_update_style` fields to only accept recognized merge and update styles.
- Resolvesforgejo/forgejo#7389
- Added integration test for the API (`binding` works in the exact same way for the API and web routes).
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7401
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7355
- Always initialize `RequestedReviewers` and `RequestedReviewersTeams`, this avoids the JSON encoder from encoding it to the zero value `null` and instead return a empty array.
- Resolves#4108
- Integration test added.
Co-authored-by: ThomasBoom89 <thomasboom89@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7365
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7344
- This makes the `repo-settings` e2e testing happy.
- There's no point into checking `vertical-align`; it has no effect when `position: absolute` is set, which is is currently set unconditionally for checkboxes and radios on forms.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7345
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
- This is a follow up on #7193 and resolves#6312.
- The ID by itself is not very useful, so also return the index of the workflow run.
Co-authored-by: Klaus Fyhn <klausfyhn@gmail.com>
Co-authored-by: Klaus Fyhn <klfj@mir-robots.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7286
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: klausfyhn <klausfyhn@noreply.codeberg.org>
Co-committed-by: klausfyhn <klausfyhn@noreply.codeberg.org>
Per #6507, platform information was missing from the rubygems package registry, so binary gems where not served correctly. This change adds the platform information when necessary.
Co-authored-by: f <f@sutty.nl>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7257
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: fauno <fauno@noreply.codeberg.org>
Co-committed-by: fauno <fauno@noreply.codeberg.org>
