Commit graph

643 commits

Author SHA1 Message Date
Earl Warren
8f88817c00 test(oauth): RFC 6749 Section 10.2 conformance
See:

1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client

(cherry picked from commit 592469464b)
2024-06-06 10:01:56 +00:00
Earl Warren
40bf161ff0 test(oauth): coverage for the redirection of a denied grant
See 886a675f62 Return `access_denied` error when an OAuth2 request is denied

(cherry picked from commit 32c882af91)
2024-06-05 14:19:38 +00:00
Lunny Xiao
d462b6d495
Fix push multiple branches error with tests (#31151)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)

Conflicts:
	tests/integration/git_push_test.go
	trivial context conflict because of
	2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
2024-06-03 09:47:51 +02:00
Earl Warren
bad8e72bcd
tests(integration): add TestPullMergeBranchProtect
Verify variations of branch protection that are in play when merging a
pull request as:

* instance admin
* repository admin / owner
* user with write permissions on the repository

In all cases the result is expected to be the same when merging
the pull request via:

* API
* web

Although the implementations are different.

(cherry picked from commit 793421bf59)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
2024-06-02 22:05:08 +02:00
Earl Warren
6827a4a669
test(integration): add protected file to doBranchProtect
A protected file pushed to a protected branch branch is not allowed.

(cherry picked from commit e0eba21ab7)
2024-06-02 22:00:40 +02:00
Earl Warren
e0cd813927
test(integration): refactor doBranchProtectPRMerge
* group test cases to clarify their purpose
* remove pull request branch protection tests, they are redundant
  with TestPullMergeBranchProtect

(cherry picked from commit 0d8478b82e)

Conflicts:
	tests/integration/git_test.go
	trivial context conflict
2024-06-02 22:00:18 +02:00
Earl Warren
9b17f6fd24
test(integration): refactor testPullMerge
* split into testPullMergeForm which can be called directly if
  the caller wants to specify extra parameters.
* testPullMergeForm can expect something different than StatusOK

(cherry picked from commit 20591d966e)
2024-06-02 21:53:46 +02:00
Earl Warren
9cd730a063
test(integration): refactor doAPIMergePullRequest
* http.StatusMethodNotAllowed can be expected: only retry if the
  error message is "Please try again later"
* split into doAPIMergePullRequestForm which can be called directly if
  the caller wants to specify extra parameters.

(cherry picked from commit 49aea9879b)
2024-06-02 21:53:46 +02:00
Earl Warren
68d803aae4
test(integration): refactor doProtectBranch
explicitly specify the parameters instead of providing them as
arguments so the caller has a more fine grain control over them.

(cherry picked from commit 70aa294cc1)
2024-06-02 21:53:46 +02:00
Earl Warren
b4d792d2a2
test(integration): add t.Helper() to reduce stack polution
Without the a testify stack is likely to not show the relevant test.

(cherry picked from commit 4c2ed3c35d)
2024-06-02 21:53:46 +02:00
Earl Warren
4cbfd383e9 tests(api): POST /repos/{owner}/{repo}/push_mirrors coverage
(cherry picked from commit 166bb2861f)
2024-06-02 15:45:31 +00:00
Jade Lovelace
900381d6e9 Add an immutable tarball link to archive download headers for Nix
This allows `nix flake metadata` and nix in general to lock a *branch*
tarball link in a manner that causes it to fetch the correct commit even
if the branch is updated with a newer version.

For further context, Nix flakes are a feature that, among other things,
allows for "inputs" that are "github:someuser/somerepo",
"https://some-tarball-service/some-tarball.tar.gz",
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
tarballs of git-based inputs to their builds rather than using git to
fetch them, saving significant download time.

There is presently no gitea or forgejo specific fetcher in Nix, and we
don't particularly wish to have one. Ideally (as a developer on a Nix
implementation myself) we could just use the generic tarball fetcher and
not add specific forgejo support, but to do so, we need additional
metadata to know which commit a given *branch* tarball represents, which
is the purpose of the Link header added here.

The result of this patch is that a Nix user can specify `inputs.something.url =
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
and get a link to some concrete tarball for the actual commit in the
lock file, then when they run `nix flake update` in the future, they
will get the latest commit in that branch.

Example of it working locally:

 » nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
Resolved URL:  http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
Locked URL:    804ede182b.tar.gz?dir=configs
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
Description:   Computers with the nixos
Path:          /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
Revision:      804ede182b6b66469b23ea4d21eece52766b7a06
Last modified: 2024-05-02 00:48:32

For details on the header value, see:
56763ff918/doc/manual/src/protocols/tarball-fetcher.md

(cherry picked from commit 6631f56ebf)
2024-05-29 18:50:14 +00:00
Earl Warren
75554579a6 Merge pull request '[v7.0/forgejo] mysql: faster user deletion (hook_task query) for mariadb 10' (#3888) from bp-v7.0/forgejo-4ffda65-bb165fa into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3888
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-24 13:45:38 +00:00
oliverpool
cef84d7abf test: check hook_task deletion
move test to integration to ensure Sqlite + MySQL testing

(cherry picked from commit bb165fadf6)
2024-05-24 12:46:33 +00:00
Gergely Nagy
9ac51ddeb7 tests: Add a test for code expansion on PRs
This adds a new test case to `TestCompareCodeExpand` to exercise the
case where we're viewing a PR's diff.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit fd9ee1901b)
2024-05-24 12:45:35 +00:00
wxiaoguang
d3b4f9d326 Fix incorrect "blob excerpt" link when comparing files (#31013)
When comparing files between the base repo and forked repo, the "blob
excerpt" link should point to the forked repo, because the commit
doesn't exist in base repo.

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit f48cc501c46a2d34eb701561f01d888d689d60d5)

Conflicts:
	- templates/repo/diff/section_split.tmpl
	- templates/repo/diff/section_unified.tmpl
          Resolved the conflict by picking Gitea's change over ours, and
	  porting it.
	- tests/integration/compare_test.go
	  Kept our test, but picked the "compare all of the relevant
	  links" part of the Gitea test.
(cherry picked from commit a62a887649)
2024-05-24 12:45:35 +00:00
Gergely Nagy
ef4c6abbb9 badges: Relax the default workflow badge conditions
Previously, if no branch was explicitly specified for a workflow, it
defaulted to the default branch of the repo. This worked fine for
workflows that were triggered on push, but it prevented showing badges
for workflows that only run on tags, or on schedule - since they do not
run on a specific branch.

Thus, relax the conditions, and if no branch is specified, just return
the latest run of the given workflow. If one is specified, *then*
restrict it to said branch.

Fixes #3487.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit d6915f4d5f)
2024-05-20 10:47:25 +00:00
Earl Warren
4ecbb2ef1b Merge pull request '[gitea] week 2024-20-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#3772) from earl-warren/wcp/2024-20-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3772
Reviewed-by: Beowulf <beowulf@noreply.codeberg.org>
2024-05-16 15:36:08 +00:00
oliverpool
d877f18092 test-sha256: APICreateFile
(cherry picked from commit 67effd6985)
2024-05-16 13:07:14 +00:00
oliverpool
32a0e1e2b4 test-sha256: APICreateBranch
(cherry picked from commit df8aaeb1d5)
2024-05-16 13:07:14 +00:00
oliverpool
ab4570d0cb test-sha256: PushDeployKeyOnEmptyRepo
(cherry picked from commit 348182f4b3)
2024-05-16 13:07:14 +00:00
oliverpool
7c40672ddf test: useless duplication
(cherry picked from commit e3e82d02ad)
2024-05-16 13:07:14 +00:00
oliverpool
6de1f714f3 test: hook post-receive for sha256 repos
failing push-to-create for sha256 will be fixed in a followup PR

(cherry picked from commit 2ac3dcbd43)
2024-05-15 21:08:15 +00:00
Zettat123
65529bd334
Update issue indexer after merging a PR (#30715)
Fix #30684

(cherry picked from commit f09e68ec33262d5356779572a0b1c66e6e86590f)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
(cherry picked from commit 8f0f6bf89c)

(cherry picked from commit df5513978a630355a28b6b42fcc63fe5d70652d8)
2024-05-14 16:00:57 +02:00
Lunny Xiao
d91839692f
Fix various problems around projects board view (#30696)
The previous implementation will start multiple POST requests from the
frontend when moving a column and another bug is moving the default
column will never be remembered in fact.

- [x] This PR will allow the default column to move to a non-first
position
- [x] And it also uses one request instead of multiple requests when
moving the columns
- [x] Use a star instead of a pin as the icon for setting the default
column action
- [x] Inserted new column will be append to the end
- [x] Fix #30701 the newly added issue will be append to the end of the
default column
- [x] Fix when deleting a column, all issues in it will be displayed
from UI but database records exist.
- [x] Add a limitation for columns in a project to 20. So the sorting
will not be overflow because it's int8.

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit a303c973e0264dab45a787c4afa200e183e0d953)

Conflicts:
	routers/web/web.go
	e91733468ef726fc9365aa4820cdd5f2ddfdaa23 Add missing database transaction for new issue (#29490) was not cherry-picked
	services/issue/issue.go
	fe6792dff3 Enable/disable owner and repo projects independently (#28805) was not cherry-picked
(cherry picked from commit 7d3ca90dfe)

(cherry picked from commit 084bec89ed7ae0816fc2d8db6784ad22523d1fc4)
2024-05-14 15:51:15 +02:00
Gergely Nagy
dc13eecc04 Expand code diffs against the commits repo
When expanding code diffs, the expansion should search for more context
in the commits repo, rather than in the repo in context, because the
commit may not be available in the base repo. For example, when
previewing a pull request, the commit is not in the target repo yet -
it's in the fork.

Fixes #3746.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 220c3fe3b3)
2024-05-14 12:06:44 +00:00
Gergely Nagy
00cfe9aef9 templates: Be more forgiving about missing package metadata
When rendering templates for packages, be more forgiving about missing
metadata. For some repository types - like maven - metadata is uploaded
separately. If that upload fails, or does not happen, there will be no
metadata.

In that case, Forgejo should handle it gracefully, and render as much of
the information as possible, without erroring out. Rendering without
metadata allows one to delete a partial package, while if we throw
errors, that becomes a whole lot harder.

This patch adjusts the generic metadata template, and also the maven
template. There may be more cases of the same problem lying around.

Fixes #3663.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit ac4d535dbf)
2024-05-10 18:10:25 +00:00
Gergely Nagy
9ba48419ba Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 9cb2aa989a)
2024-05-09 18:37:30 +00:00
yp05327
da993b09ad
Fix no edit history after editing issue's title and content (#30814)
Fix #30807

reuse functions in services

(cherry picked from commit a50026e2f30897904704895362da0fb12c7e5b26)

Conflicts:
	models/issues/issue_update.go
	routers/api/v1/repo/issue.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
(cherry picked from commit 6a4bc0289d)
2024-05-07 08:21:38 +01:00
Kemal Zebari
6ae15bc15e
Don't only list code-enabled repositories when using repository API (#30817)
We should be listing all repositories by default.

Fixes #28483.

(cherry picked from commit 9f0ef3621a3b63ccbe93f302a446b67dc54ad725)

Conflict:
   -		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead {
   +		if ctx.IsSigned && ctx.Doer.IsAdmin || permission.HasAccess() {
   because of https://codeberg.org/forgejo/forgejo/pulls/2001
(cherry picked from commit e388822e9d)
2024-05-07 08:17:35 +01:00
Kemal Zebari
5678e9ab20
Catch and handle unallowed file type errors in issue attachment API (#30791)
Before, we would just throw 500 if a user passes an attachment that is
not an allowed type. This commit catches this error and throws a 422
instead since this should be considered a validation error.

(cherry picked from commit 872caa17c0a30d95f85ab75c068d606e07bd10b3)

Conflicts:
	tests/integration/api_comment_attachment_test.go
	tests/integration/api_issue_attachment_test.go
	trivial context conflict because of 'allow setting the update date on issues and comments'
(cherry picked from commit 9cd0441cd3)
2024-05-07 08:12:34 +01:00
wxiaoguang
abf40ee957
Skip gzip for some well-known compressed file types (#30796)
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit be112c1fc30f87a248b30f48e891d1c8c18e8280)

Conflicts:
	routers/web/web.go
	trivial conflict because of https://codeberg.org/forgejo/forgejo/pulls/1533
(cherry picked from commit 4e35e5b8ae)
2024-05-07 07:59:45 +01:00
JakobDev
d449fcff0a Show repo count in blocked users tab (#3601)
Fixes #3595

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3601
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
(cherry picked from commit d50efa626a)
2024-05-02 17:10:06 +00:00
Earl Warren
ad0b97c7c2 Merge pull request '[v1.22/gitea] week 2024-18 cherry pick v7.0 (take 2)' (#3580) from earl-warren/forgejo:wip-v7.0-gitea-cherry-pick into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3580
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-05-01 12:36:57 +00:00
Gergely Nagy
36b8e68eee
Add a test case for unsubscribing from an issue
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 13:32:39 +02:00
Gergely Nagy
f83ae0fad2
tests: Support creating a declarative repo without AutoInit
To be able to easily test cases where the repository does not have any
code, where the git repo itself is completely uninitialized, lets
support a case where the `AutoInit` property is false.

For the sake of backwards compatibility, if the option is not set either
way, it will default to `true`.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 13:32:39 +02:00
Gergely Nagy
0da02b9213
tests: Let CreateDeclarativeRepoWithOptions create a Wiki too
Add a new member to `DeclarativeRepoOptions`: `WikiBranch`. If
specified, create a Wiki with the given branch, and a single "Home"
page.

This will be used by an upcoming test.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 13:30:32 +02:00
Gergely Nagy
13892121e6
tests: Refactor CreateDeclarativeRepo
Lets introduce a new helper function,
`CreateDeclarativeRepoWithOptions`! This is almost the same as the
existing `CreateDeclarativeRepo` helper, but instead of taking a list of
random parameters the author thought of at the time of its introduction,
it takes a `DeclarativeRepoOptions` struct, with optional members.

This makes it easier to extend the function, as new members can be added
without breaking or having to update existing callsites, as long as the
newly added members default to compatible values.

`CreateDeclarativeRepo` is then reimplemented on top of the new
function. Callsites aren't updated yet, we can do that organically,
whenever touching code that uses the older function.

No new functionality is introduced just yet, this is merely a refactor.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 13:29:21 +02:00
6543
2da615c37c
Get repo assignees and reviewers should ignore deactivated users (#30770) (#30782)
Backport  #30770

If an user is deactivated, it should not be in the list of users who are
suggested to be assigned or review-requested.

old assignees or reviewers are not affected.

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit 022eac4ac8e59f861237cc1e02f7ef117eaf8e30)

Conflicts:
	models/repo/user_repo_test.go
	because there is one less fixture user compared to Gitea
2024-05-01 08:31:47 +02:00
Otto
54f875df46 Merge pull request '[v7.0/forgejo] Show repo activities even if only code unit active or git repo is empty but issue is active' (#3514) from bp-v7.0/forgejo-c54896b into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3514
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
2024-04-29 21:41:09 +00:00
Beowulf
0b7e2ba549 Fixes that the settings button moves in the overflow menu
and the add more button is on the right

This fix moves the settings button back to the right and the add more
button back to the left.

(cherry picked from commit fb5e36bc6f)
2024-04-29 10:54:39 +00:00
Beowulf
135764f244 Show repo activities even if only code unit active or git repo is empty but issue is active (#3455)
When all repository units are deactivated except for the code unit, the activity tab will not be shown.
Since the activities tab also shows contributing stats, it would be good to show the activities tab also when only code is active.
This commit changes the behavior when the activities tab is shown.
Previous it would only be shown when Issues, Pull-Requests or Releases are activated. Now it would additionally be shown when the code unit is activated.

Refs: #3429

| Before (Code + Issues - Owner) | Before (Code - Viewer) | After (Code + Issues - Owner) | After (Code - Viewer) |
| -- | -- | -- | -- |
| ![image](/attachments/2af997bc-1f38-48c6-bdf3-cfbd7087b220)  | ![image](/attachments/ef1797f0-5c9a-4a1a-ba82-749f3ab4f403) | ![image](/attachments/fd28a96c-04ca-407e-a70d-d28b393f223d) | ![image](/attachments/2cd0d559-a6de-4ca0-a736-29c5fea81b5a) |
|  | `/activity` returns 404 for everyone | ![image](/attachments/e0e97d8f-48cb-4c16-a505-1fafa46c4b8e)  | - |

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3455
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
(cherry picked from commit c54896ba70)
2024-04-28 13:50:45 +00:00
Beowulf
5f5d66624e Move settings button back to the right in repo and org header
This will move the settings button back to the right, like known from
older versions.
For this, the overflow-menu was changed when a setting button is
available. If no settings button is available, the behavior will not
change.

Fixes #3301

(cherry picked from commit f9628f883d)
2024-04-28 06:21:47 +00:00
Gergely Nagy
9860af7f39 services/convert: Convert a Repository's ObjectFormatName too
When converting a `repo_model.Repository` to `api.Repository`, copy the
`ObjectFormatName` field too.

Fixes #3458.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 2385f3c9db)
2024-04-26 08:55:40 +00:00
Earl Warren
5083ea72fb [v7.0/forgejo] fix(ui): /settings/lfs/find 500 error (#3451)
When in the repository settings, visiting

- `LFS` to `/{owner}/{repo}/settings/lfs`
- `Find pointer files` to `/{owner}/{repo}/settings/lfs/pointers`
- `Find commits` to `/{owner}/{repo}/settings/lfs/find?oid=...`

failed with an error 500 because of an incorrect evaluation of the
template.

Regression introduced by
cbf923e87b

A test is added to visit the page and guard against future
regressions.

Refs: https://codeberg.org/forgejo/forgejo/issues/3438
(cherry picked from commit 078229a5e4)

Also has a backport of https://codeberg.org/forgejo/forgejo/pulls/3465/files to ensure the test fails.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3451
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
2024-04-25 21:46:25 +00:00
Earl Warren
21a853aac7 test(cli): admin user change-password --must-change-password
(cherry picked from commit b9424e634f)
2024-04-24 22:26:37 +00:00
Earl Warren
8b4ca4501a test(cli): admin user create and must change password value
(cherry picked from commit eb74846d7d)
2024-04-24 22:26:37 +00:00
Earl Warren
f58e0d8617 fix(incoming): allow replies to comments
- allow attachments to code comments
- incoming mails from issue comments are now identified as comments

Fixes: https://codeberg.org/forgejo/forgejo/issues/3374
(cherry picked from commit 54285319f6)
2024-04-22 22:43:16 +00:00
silverwind
d6689b88a8
Run go generate and go vet on all packages (#30529)
Fixes: https://github.com/go-gitea/gitea/issues/30512

I think this does mean those tools would run on a potential `vendor`
directory, but I'm not sure we really support vendoring of dependencies
anymore.

`release` has a `vendor` prerequisite so likely the source tarballs
contain vendor files?

(cherry picked from commit 8e12ef911a1d10dedb03e3127c42ca76f9850aca)

Conflicts:
	- Makefile
	  Manually adjusted the changes.
(cherry picked from commit 3918db10c8)
2024-04-21 18:09:48 +02:00
Gergely Nagy
aacc13fca8 hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Signed-off-by: Earl Warren <contact@earl-warren.org>
(cherry picked from commit 8eba631f8d)
2024-04-20 05:58:39 +00:00