Commit graph

15696 commits

Author SHA1 Message Date
Giteabot
8fa9d9dcc9
Fix panic when migrating a repo from GitHub with issues (#25246) (#25247)
Backport #25246 by @wolfogre

Fix #25245. Regression of #23946.

Co-authored-by: Jason Song <i@wolfogre.com>
2023-06-14 07:08:08 +00:00
Giteabot
21cd5c2f3d
Fix all possible setting error related storages and added some tests (#23911) (#25244)
Backport #23911 by @lunny

Follow up #22405

Fix #20703 

This PR rewrites storage configuration read sequences with some breaks
and tests. It becomes more strict than before and also fixed some
inherit problems.

- Move storage's MinioConfig struct into setting, so after the
configuration loading, the values will be stored into the struct but not
still on some section.
- All storages configurations should be stored on one section,
configuration items cannot be overrided by multiple sections. The
prioioty of configuration is `[attachment]` > `[storage.attachments]` |
`[storage.customized]` > `[storage]` > `default`
- For extra override configuration items, currently are `SERVE_DIRECT`,
`MINIO_BASE_PATH`, `MINIO_BUCKET`, which could be configured in another
section. The prioioty of the override configuration is `[attachment]` >
`[storage.attachments]` > `default`.
- Add more tests for storages configurations.
- Update the storage documentations.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-14 08:36:52 +02:00
Giteabot
22948048b2
Revert overflow: overlay (revert #21850) (#25231) (#25239)
Backport #25231 by @wxiaoguang

It causes not only one issue like #25221 (the footer width was also
affected by that change and was fixed some time ago)

The problem of "overflow: overlay" (#21850) is:

* It's not widely supported and is non-standard
https://caniuse.com/css-overflow-overlay
* It's not widely tested in Gitea (some standard layout like `ui
container + ui grid` may break it).
* The benefit seems smaller than the problems it brings.

So, I think it is good to revert it.

----

Let's leave enough time for testing and reviewing.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-13 19:45:45 +00:00
Giteabot
fa28d0e706
Do not overwrite the log mode when installing (#25203) (#25209)
Backport #25203 by @wxiaoguang

Fix #24861

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-13 20:35:37 +02:00
Giteabot
3ea544d89c
Change access token UI to select dropdowns (#25109) (#25230)
Backport #25109 by @jtran

The current UI to create API access tokens uses checkboxes that have a
complicated relationship where some need to be checked and/or disabled
in certain states. It also requires that a user interact with it to
understand what their options really are.

This branch changes to use `<select>`s. It better fits the available
options, and it's closer to [GitHub's
UI](https://github.com/settings/personal-access-tokens/new), which is
good, in my opinion. It's more mobile friendly since the tap-areas are
larger. If we ever add more permissions, like Maintainer, there's a
natural place that doesn't take up more screen real-estate.

This branch also fixes a few minor issues:

- Hide the error about selecting at least one permission after second
submission
- Fix help description to call it "authorization" since that's what
permissions are about (not authentication)

Related: #24767.

<img width="883" alt="Screenshot 2023-06-07 at 5 07 34 PM"
src="https://github.com/go-gitea/gitea/assets/10803/6b63d807-c9be-4a4b-8e53-ecab6cbb8f76">

---

When it's open:

<img width="881" alt="Screenshot 2023-06-07 at 5 07 59 PM"
src="https://github.com/go-gitea/gitea/assets/10803/2432c6d0-39c2-4ca4-820e-c878ffdbfb69">

Co-authored-by: Jonathan Tran <jon@allspice.io>
2023-06-13 12:42:25 +00:00
Giteabot
9cef7a4600
Use inline SVG for built-in OAuth providers (#25171) (#25234)
Backport #25171 by @silverwind

The plan is that all built-in auth providers use inline SVG for more
flexibility in styling and to get the GitHub icon to follow
`currentcolor`. This only removes the `public/img/auth` directory and
adds the missing svgs to our svg build.

It should map the built-in providers to these SVGs and render them. If
the user has set a Icon URL, it should render that as an `img` tag
instead.

```
gitea-azure-ad
gitea-bitbucket
gitea-discord
gitea-dropbox
gitea-facebook
gitea-gitea
gitea-gitlab
gitea-google
gitea-mastodon
gitea-microsoftonline
gitea-nextcloud
gitea-twitter
gitea-yandex
octicon-mark-github
```

GitHub logo is now white again on dark theme:

<img width="431" alt="Screenshot 2023-06-12 at 21 45 34"
src="https://github.com/go-gitea/gitea/assets/115237/27a43504-d60a-4132-a502-336b25883e4d">

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-13 12:04:40 +00:00
Giteabot
c207b94e0c
Fix task list checkbox toggle to work with YAML front matter (#25184) (#25227)
Backport #25184 by @jtran

Fixes #25160.

`data-source-position` of checkboxes in a task list was incorrect
whenever there was YAML front matter. This would result in issue content
or PR descriptions getting corrupted with random `x` or space characters
when a user checked or unchecked a task.

Co-authored-by: Jonathan Tran <jon@allspice.io>
2023-06-13 08:23:21 +00:00
Giteabot
506c70884a
Fix compatible for webhook ref type (#25195) (#25223)
Backport #25195 by @lunny

Fix #25185 
Caused by #24634

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-06-13 06:51:50 +00:00
Giteabot
f64f5495af
Hide limited users if viewed by anonymous ghost (#25214) (#25220)
Backport #25214 by @KN4CK3R

The ghost user leads to inclusion of limited users/orgs in
`BuildCanSeeUserCondition`.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-06-13 13:53:26 +08:00
Giteabot
3e9fc36729
Remove hacky patch for "safari emoji glitch fix" (#25208) (#25211)
Backport #25208 by @wxiaoguang

According to my test, the UI (emoji) is fine in Safari

And actually the code is just dead code, because the "resize" event is
never fired on page loading. So for most cases users just view the pages
without this hacky patch, nobody ever complains.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-12 18:16:04 +02:00
Giteabot
8e798ebbdf
Fix fullscreen for action (#25200) (#25207)
Backport #25200 by @HesterG

An error occurs when clicking on `show full screen` on action page.

<img width="1440" alt="Screen Shot 2023-06-12 at 13 06 52"
src="https://github.com/go-gitea/gitea/assets/17645053/1d4ded3c-fb77-4dd8-9201-24d0696f96eb">


class name has changed in #25134, so the selector is not working. 
Enhance the selectors to fix this.

Co-authored-by: HesterG <hestergong@gmail.com>
2023-06-12 15:41:13 +00:00
Giteabot
0ad5ae0dbf
Improve some documents: release version, logging, NFS lock (#25202) (#25204)
Backport #25202 by @wxiaoguang

Close #23654

Close #24684


@techknowlogick I still think we need to rename
https://dl.gitea.com/gitea/1.20/ to
https://dl.gitea.com/gitea/1.20-nightly/

`/gitea/1.20/` is quite confusing, it needs these words to explain why.
If we call it `1.20-nightly`, the FAQ can be simplified a lot.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-12 23:17:43 +08:00
Giteabot
0cf467e9e0
Minor arc-green color tweaks (#25175) (#25205)
Backport #25175 by @silverwind

Some minor color tweaks

<img width="1271" alt="Screenshot 2023-06-09 at 13 29 25"
src="https://github.com/go-gitea/gitea/assets/115237/b7b34995-5d34-461f-8d19-4f5755a98109">
<img width="1272" alt="Screenshot 2023-06-09 at 13 31 20"
src="https://github.com/go-gitea/gitea/assets/115237/63c866b4-797e-46ed-ba28-b1162ccd3e15">
<img width="1276" alt="Screenshot 2023-06-09 at 13 32 21"
src="https://github.com/go-gitea/gitea/assets/115237/de7ee02e-d0c7-4979-a8aa-0fd03e8db491">

Co-authored-by: silverwind <me@silverwind.io>
2023-06-12 13:56:59 +02:00
Giteabot
5ff0f7d0ca
Add WithPullRequest for actionsNotifier (#25144) (#25197)
Backport #25144 by @Zettat123

Fix #25093

If
[`WithPullRequest`](679b1f7949/services/actions/notifier_helper.go (L90-L96))
is not called, the `Ref` in
[`notifyInput`](679b1f7949/services/actions/notifier_helper.go (L55-L65))
will be empty, so the workflows in the head branch will not be found and
triggered.
2023-06-12 17:08:09 +08:00
silverwind
224ee0d4e5
Fix strange UI behavior of cancelling dismiss review modal (#25172)
Backport clean cherry-picks of
https://github.com/go-gitea/gitea/pull/25133 and
https://github.com/go-gitea/gitea/pull/25162 to 1.20.
2023-06-11 02:54:30 +00:00
silverwind
ee26d1c578
Button and color enhancements (#24989) (#25176)
Backport #24989. Clean cherry-pick aside from one small conflict with
divider.

- Various corrections to button styles, especially secondary
- Remove focus highlight, it's annoying when it stays on button after
press
- Clearly define ghost and link buttons with demos in devtest
- Remove black, grey and tertiary buttons, they should not be used
- Make `arc-green` slightly darker

<img width="1226" alt="image"

src="https://github.com/go-gitea/gitea/assets/115237/8d89786a-01ab-40f8-ae5a-e17f40e35084">
<img width="1249" alt="image"

src="https://github.com/go-gitea/gitea/assets/115237/83651e6d-3c27-46ff-b8bd-ff344d70e949">
2023-06-11 02:13:08 +00:00
Giteabot
18093d4c9a
Fix mobile navbar and misc cleanups (#25134) (#25169)
Backport #25134 by @silverwind

- Fix and improve mobile navbar layout
- Apply all cleanups suggested in
https://github.com/go-gitea/gitea/pull/25111
- Make media query breakpoints match Fomantic's exactly
- Clean up whitespace in class on navbar items

Mobile navbar before and after:
<img width="745" alt="Screenshot 2023-06-08 at 08 40 56"
src="https://github.com/go-gitea/gitea/assets/115237/ca84b239-b10f-41db-8c06-dcf2b6dd9d28">
<img width="739" alt="Screenshot 2023-06-08 at 08 41 23"
src="https://github.com/go-gitea/gitea/assets/115237/09133c54-eb7e-4110-858c-ead23c3b7521">
2023-06-11 09:50:39 +08:00
Giteabot
de1d14590d
Fix bug for code search if code is disabled (#25173) (#25181)
Backport #25173 by @lunny

Fix https://github.com/go-gitea/gitea/pull/24189/files#r1224144768

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-06-09 19:32:55 +00:00
Giteabot
0058453fd9
Modify OAuth login ui and fix display name, iconurl related logic (#25030) (#25161)
Backport #25030 by @HesterG

Close #24808 

Co-Authour @wxiaoguang @silverwind 

1. Most svgs are found from https://worldvectorlogo.com/ , and some are
from conversion of png to svg. (facebook and nextcloud). And also
changed `templates/user/settings/security/accountlinks.tmpl`.

2. Fixed display name and iconurl related logic

# After

<img width="1436" alt="Screen Shot 2023-06-05 at 14 09 05"
src="https://github.com/go-gitea/gitea/assets/17645053/a5db39d8-1ab0-4676-82a4-fba60a1d1f84">

On mobile

<img width="378" alt="Screen Shot 2023-06-05 at 14 09 46"
src="https://github.com/go-gitea/gitea/assets/17645053/71d0f51b-baac-4f48-8ca2-ae0e013bd62e">


user/settings/security/accountlinks (The dropdown might be improved
later)

<img width="973" alt="Screen Shot 2023-06-01 at 10 01 44"
src="https://github.com/go-gitea/gitea/assets/17645053/27010e7e-2785-4fc5-8c49-b06621898f37">

Co-authored-by: HesterG <hestergong@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-09 10:59:18 +00:00
Giteabot
7679f4d51a
Fix open redirect check for more cases (#25143) (#25154)
Backport #25143 by @lafriks

If redirect_to parameter has set value starting with `\\example.com`
redirect will be created with header `Location: /\\example.com` that
will redirect to example.com domain.

Co-authored-by: Lauris BH <lauris@nix.lv>
2023-06-08 18:03:42 +02:00
Giteabot
82a8c26bbf
Update js dependencies (#25137) (#25151)
Backport #25137 by @silverwind

- Update all JS dependencies
- Tweak eslint for more generic globs
- Tested mermaid, pdf, monaco

Co-authored-by: silverwind <me@silverwind.io>
2023-06-08 12:05:13 +00:00
Giteabot
cb113991a3
Remove incorrect element ID on "post-install" page (#25104) (#25129)
Backport #25104 by @wxiaoguang

That ID is a "copy&paste" error, it conflicts with the
`initRepoMigrationStatusChecker` logic, which is the right function for
a real `#repo_migrating` element. That wrong ID causes incorrect page
navigation after installation.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-06-08 11:22:32 +00:00
Giteabot
0bf07a7f61
Improve notification icon and navbar (#25111) (#25124)
Backport #25111 by @silverwind

Improvements to the notification icon and `<nav>`:

- Add a opaque color for header hover and use it, allowing the border to
be the right color on hover (sadly, not otherwise possible with CSS, not
even `color-mix`).
- Increase font size by 1px
- Use flexbox for slightly better text centering
- Reduce padding of user and add repo button, add margin on right side
of user menu
- Remove the `following bar` wrapper on navbar

<img width="176" alt="Screenshot 2023-06-07 at 00 07 08"
src="https://github.com/go-gitea/gitea/assets/115237/23cdc3d6-7f63-49df-bec3-f2e75e32a304">
<img width="63" alt="Screenshot 2023-06-07 at 00 07 14"
src="https://github.com/go-gitea/gitea/assets/115237/fae602c2-4467-4d50-b1ec-56317843f9a2">
<img width="84" alt="Screenshot 2023-06-07 at 00 07 36"
src="https://github.com/go-gitea/gitea/assets/115237/c48141b8-0b3c-48cc-846a-3a272524dbdb">
<img width="329" alt="Screenshot 2023-06-07 at 00 25 10"
src="https://github.com/go-gitea/gitea/assets/115237/cda612f1-426e-466b-a351-fc992bfd18fd">
<img width="186" alt="Screenshot 2023-06-07 at 00 35 45"
src="https://github.com/go-gitea/gitea/assets/115237/04484a2e-9bbf-493c-aa26-8e936da008fa">
<img width="797" alt="Screenshot 2023-06-07 at 16 57 40"
src="https://github.com/go-gitea/gitea/assets/115237/e7ccb672-5807-4cb6-b306-b18ae0c7e321">

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-06-08 10:19:13 +00:00
Giteabot
adb5b9c061
Fix incorrect git ignore rule and add missing license files (#25135) (#25138)
Backport #25135 by @yp05327

Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-08 09:41:08 +00:00
HesterG
f0c967560a
Change branch name from master to main in some documents' links (#25126) (#25140)
Backport #25126 to 1.20

As title. And needs to backport to 1.19
2023-06-08 09:40:05 +00:00
Giteabot
1cc63ade82
Fix MilestoneIDs when querying issues (#25125) (#25141)
Backport #25125 by @Zettat123

Fix #25114

Co-authored-by: Zettat123 <zettat123@gmail.com>
2023-06-08 11:03:53 +02:00
Denys Konovalov
eac1bddb8d
fix swagger documentation for multiple files API endpoint (#25110)
Fixes some issues with the swagger documentation for the new multiple
files API endpoint (#24887) which were overlooked when submitting the
original PR:

1. add some missing parameter descriptions
2. set correct `required` option for required parameters
3. change endpoint description to match it full functionality (every
kind of file modification is supported, not just creating and updating)
2023-06-07 23:49:58 +08:00
wxiaoguang
027014d7de
Fix webauthn regression and improve code (#25113)
Follow:

* #22697

There are some bugs in #22697:

* https://github.com/go-gitea/gitea/pull/22697#issuecomment-1577957966
* the webauthn failure message is never shown and causes console error
* The `document.getElementById('register-button')` and
`document.getElementById('login-button')` is wrong
    * there is no such element in code
    * it causes JS error when a browser doesn't provide webauthn
    * the end user can't see the real error message

These bugs are fixed in this PR.

Other changes:

* Use simple HTML/CSS layouts, no need to use too many `gt-` patches
* Make the webauthn page have correct "page-content" layout
* The "data-webauthn-error-msg" elements are only used to provide locale
texts, so move them into a single "gt-hidden", then no need to repeat a
lot of "gt-hidden" in code
* The `{{.CsrfTokenHtml}}`  is a no-op because there is no form
* Many `hideElem('#webauthn-error')` in code is no-op because the
`webauthn-error` already has "gt-hidden" by default
* Make the tests for "URLEncodedBase64" really test with concrete cases.


Screenshots:

* Error message when webauthn fails (before, there is no error message):

<details>


![image](https://github.com/go-gitea/gitea/assets/2114189/93cf9559-d93b-4f06-9d98-0f7032d9c65b)

</details>

* Error message when webauthn is unavailable 

<details>


![image](https://github.com/go-gitea/gitea/assets/2114189/ffc0fcd9-b93b-4418-979c-c89bb627aaf2)

</details>
2023-06-07 19:20:18 +08:00
HesterG
58536093b3
Add details summary for vertical menus in settings to allow toggling (#25098)
Close #25051
[referenced
answer](https://stackoverflow.com/questions/10813581/can-i-replace-the-expand-icon-of-the-details-element/69722686#69722686)
for marker overwrite. One limitation is that fomantic does not have
hover and active effects for the vertical submenu
([reference](https://fomantic-ui.com/collections/menu.html#sub-menu)).
And we might need to overwrite some styles if hover and active effects
are needed.

Update:
Used `data:image/svg` instead of `marker` content. And adjusted styles
for hover effect.

Take admin settings as an example:

https://github.com/go-gitea/gitea/assets/17645053/63f69823-ef43-47d5-a518-544b5ea35ba6

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-06-07 10:49:48 +08:00
Jason Song
379ec13030
Fix 500 error caused by notifications without an issue such as repo transfers (#25101) 2023-06-06 23:17:56 +08:00
zeripath
036fb7861f
Clean up WebAuthn javascript code and remove JQuery code (#22697)
There were several issues with the WebAuthn registration and testing
code and the style
was very old javascript with jquery callbacks.

This PR uses async and fetch to replace the JQuery code.

Ref #22651

Signed-off-by: Andrew Thornton <art27@cantab.net>

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-06 13:29:37 +08:00
silverwind
c09f747b51
Enable all webpack sourcemaps in dev build, disable all in prod build (#25089)
- Enable all source maps in dev build
- Disable all source maps in prod build
- Provide `ENABLE_SOURCEMAP` env var to override it.

I think the strange error seen in
https://github.com/go-gitea/gitea/issues/24784 is sourcemap related, so
if we enable/disable them all, it might go away. But it's most
definitely a Safari bug.

With all sourcemaps disabled, binary size goes down by around 1-2 MB,
with all enabled it goes up by around 12MB. If +12MB is acceptable, we
could also always enable them by default as fully source maps do have
some debugging benefits.
2023-06-06 12:57:08 +08:00
Yevhen Pavlov
8d7893e817
Don't display select all issues checkbox when no issues are available (#25086)
Before:

![image](https://github.com/go-gitea/gitea/assets/1969460/8830c077-89d4-4897-a6e0-f5dba6830ff7)

After:

![image](https://github.com/go-gitea/gitea/assets/1969460/8fa06878-496b-4f65-87eb-04e1f94d4a3c)
2023-06-06 08:19:24 +08:00
techknowlogick
7c778d6b5e
change placeholders in actions docs 2023-06-05 11:32:56 -04:00
techknowlogick
d302a5ee65
change placeholders in actions docs 2023-06-05 11:28:51 -04:00
6543
395a6fabf3
fix "Remove stars when repo goes private #19904" (#25084)
https://github.com/go-gitea/gitea/pull/19904#discussion_r1218111682
2023-06-05 15:23:09 +00:00
sillyguodong
1a5f478ae1
Introduce how to configure cache when starting a Runner with Docker (#25077)
If a user starts a runner using a Docker image without making additional
configurations, the [cache action](https://github.com/actions/cache)
will not work properly.
Therefore, add a section in the documentation that explains how to
configure the cache correctly.
2023-06-05 14:12:55 +00:00
Wim
62ac3251fa
Remove stars when repo goes private (#19904)
Fixes #18600
2023-06-05 13:25:43 +00:00
wxiaoguang
8e63373c01
Use correct selector for hiding RSS icon link in the branch selector dropdown (#25080)
Fix  #25079


![image](https://github.com/go-gitea/gitea/assets/2114189/5d3f2f49-018a-4b75-8c90-ffafd898697a)


![image](https://github.com/go-gitea/gitea/assets/2114189/3e9dcf2e-eca7-4e96-be79-3b26f222cdb9)


![image](https://github.com/go-gitea/gitea/assets/2114189/855fffa4-0220-4ca2-a5e0-58c376fdc378)


![image](https://github.com/go-gitea/gitea/assets/2114189/f5ffa7e6-a974-4698-a45d-e38091903be1)
2023-06-05 12:34:25 +00:00
Lunny Xiao
315124b469
Fix parallelly generating index failure with Mysql (#24567) 2023-06-05 10:33:47 +00:00
Lunny Xiao
3d1fda737b
Use git command instead of the ini package to remove the origin remote (#25066) 2023-06-05 18:05:31 +08:00
Lunny Xiao
d851bd9a6b
improve permission documentation (#23942) 2023-06-05 15:43:17 +08:00
Lunny Xiao
11598885b3
Use RepositoryList instead of []*Repository (#25074) 2023-06-05 15:25:47 +08:00
Denys Konovalov
ca35dec18b
Add ability to set multiple redirect URIs in OAuth application UI (#25072)
OAuth applications can already have multiple redirect URIs if
created/edited over API.

This change allows for setting multiple redirect URIs through the UI as
a comma-separated list (e. g.
`https://example.org/redirect,https://redirect.example.org`)

<details>
<summary>Screenshots</summary>

![Bildschirmfoto vom 2023-06-04
17-14-40](https://github.com/go-gitea/gitea/assets/47871822/2206dc32-e7e4-4953-9ecb-e098890b3f54)
![Bildschirmfoto vom 2023-06-04
17-14-50](https://github.com/go-gitea/gitea/assets/47871822/cd97c73c-9310-44ee-a83a-b927a1ef94da)

</details>

Closes #25068
2023-06-05 15:00:12 +08:00
JakobDev
7d192cb674
Add Progressbar to Milestone Page (#25050)
This is adds the progress bar, which is already on the Milestone List,
also to the Page of a Single Milestone.


![grafik](https://github.com/go-gitea/gitea/assets/15185051/24e0fa28-369b-4bb9-807a-ee823b46ba81)

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-06-05 14:25:46 +08:00
GiteaBot
d63d8108b4 [skip ci] Updated licenses and gitignores 2023-06-05 00:27:49 +00:00
Jack Hay
18de83b2a3
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
    - `activitypub`
    - `admin` (hidden if user is not a site admin)
    - `misc`
    - `notification`
    - `organization`
    - `package`
    - `issue`
    - `repository`
    - `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
  -  `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
  - `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection

### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">

## tokenRequiresScopes  Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error

## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
   -  _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
   - _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
   - _This should be addressed in this PR_
   - For example: 
   ```go
	m.Group("/users/{username}/orgs", func() {
		m.Get("", reqToken(), org.ListUserOrgs)
		m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
   ```

## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default

Closes #24501
Closes #24799

Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
wxiaoguang
520eb57d76
Use a separate admin page to show global stats, remove actions stat (#25062)
Before, Gitea shows the database table stats on the `admin dashboard`
page.

It has some problems:

* `count(*)` is quite heavy. If tables have many records, this blocks
loading the admin page blocks for a long time
* Some users had even reported issues that they can't visit their admin
page because this page causes blocking or `50x error (reverse proxy
timeout)`
* The `actions` stat is not useful. The table is simply too large. Does
it really matter if it contains 1,000,000 rows or 9,999,999 rows?
* The translation `admin.dashboard.statistic_info` is difficult to
maintain.

So, this PR uses a separate page to show the stats and removes the
`actions` stat.


![image](https://github.com/go-gitea/gitea/assets/2114189/babf7c61-b93b-4a62-bfaa-22983636427e)

## ⚠️ BREAKING

The `actions` Prometheus metrics collector has been removed for the
reasons mentioned beforehand.
Please do not rely on its output anymore.
2023-06-03 22:03:41 +08:00
Yarden Shoham
4486dd39e7
Remove cancel button from branch protection form (#25063)
It caused bugs. To cancel, just navigate away.

- Follows #21381 and #21872
- Resolves #25038 

## Before

![image](https://github.com/go-gitea/gitea/assets/20454870/068c8d96-fc50-4725-8af2-d953e9f39024)

## After

![image](https://github.com/go-gitea/gitea/assets/20454870/105d5c50-e490-456a-a253-269b174c09ab)

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
2023-06-03 20:06:09 +08:00
Denys Konovalov
7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00