The API to create tokens is missing the ability to set the required
scopes for tokens, and to show them on the API and on the UI.
This PR adds this functionality.
Signed-off-by: Andrew Thornton <art27@cantab.net>
As discussed in #22847 the helpers in helpers.less need to have a
separate prefix as they are causing conflicts with fomantic styles
This will allow us to have the `.gt-hidden { display:none !important; }`
style that is needed to for the reverted PR.
Of note in doing this I have noticed that there was already a conflict
with at least one chroma style which this PR now avoids.
I've also added in the `gt-hidden` style that matches the tailwind one
and switched the code that needed it to use that.
Signed-off-by: Andrew Thornton <art27@cantab.net>
---------
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Currently the value doesn't match the model, so selecting it results in
a 500.
e8ac6a9aea/models/auth/token_scope.go (L42)
Signed-off-by: jolheiser <john.olheiser@gmail.com>
This PR adds the support for scopes of access tokens, mimicking the
design of GitHub OAuth scopes.
The changes of the core logic are in `models/auth` that `AccessToken`
struct will have a `Scope` field. The normalized (no duplication of
scope), comma-separated scope string will be stored in `access_token`
table in the database.
In `services/auth`, the scope will be stored in context, which will be
used by `reqToken` middleware in API calls. Only OAuth2 tokens will have
granular token scopes, while others like BasicAuth will default to scope
`all`.
A large amount of work happens in `routers/api/v1/api.go` and the
corresponding `tests/integration` tests, that is adding necessary scopes
to each of the API calls as they fit.
- [x] Add `Scope` field to `AccessToken`
- [x] Add access control to all API endpoints
- [x] Update frontend & backend for when creating tokens
- [x] Add a database migration for `scope` column (enable 'all' access
to past tokens)
I'm aiming to complete it before Gitea 1.19 release.
Fixes #4300
* Refactor `i18n` to `locale`
- Currently we're using the `i18n` variable naming for the `locale`
struct. This contains locale's specific information and cannot be used
for general i18n purpose, therefore refactoring it to `locale` makes
more sense.
- Ref: https://github.com/go-gitea/gitea/pull/20096#discussion_r906699200
* Update routers/install/install.go
This PR highlights the nature of the destructive action.
It also rewords the action buttons to remove ambiguity.
Signed-off-by: André Jaenisch <andre.jaenisch@posteo.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
* Improve UX on modal for deleting an access token
Before, both action buttons where coloured on hover. Otherwise they
appeared as ghost buttons. UX tells us, that call to action must not
be displayed as ghost button.
Using red is perceived as warning colour in Western cultures. It was
used for the non-destructive action before. This PR swaps the colour
and turns the cancel button into a filled one, so it is saver to do
nothing then to accidentally delete an access button. We want the
person to do this consciously.
In another iteration the wording here could be improved. See the
associated issue for further details.
Signed-off-by: André Jaenisch <andre.jaenisch@posteo.de>
* Use tabs instead of spaces.
Linter does not complain anymore. I was expecting the formatter to pick
this up but it didn't.
Signed-off-by: André Jaenisch <andre.jaenisch@posteo.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Update JS dependencies
- Update all JS dependencies
- For octicons, rename trashcan to trash
- For svgo, migrate to v2 api, output seems to have slightly changed but icons look the same
- For stylelint, update config, fix custom property duplicates
- For monaco, drop legacy Edge support
- For eslint, enable new rules, fix new issues
- For less-loader, remove deprecated import syntax
* update svgo usage in generate-images and rebuild logo.svg with it
* Replace more icons with SVG
- Replace remaining icons on admin page with SVG
- Fix vertical menu background on arc-green
- Minor improvments to frontpage repo search
- More icon replacements here and there
* fix integration
* whitespace tweak
* add comment
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add class to page content to unify top margin
Previously pages would individually set this margin but some didn't so
content would stick to the header without any space. Resolve this by
adding a new class that is added on all pages. The only place where we
remove this margin again is on the pages with menu or wrapper in the
header.
* fix admin notices
* fix team pages
* fix loading segment on gitgraph for arc-green
* fix last missing case
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add oauth2 grants ui
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add delete functionality
Add translations
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Fix unit tests
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Fix unit tests
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Refactor DeleteOAuth2Grant
Use results.Close()
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Refactor DeleteOAuth2Grant (again)
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Check if user ID is zero
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Check if grant ID is zero
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* moved avatar to profile page
* combined password change, email and account deletion into account settings page
* combined totp, access tokens, linked accounts and openid into security settings page
* move access tokens to applications settings page
* small change to restart drone build
* fix change avatar url on profile page
* redirect old settings urls to new ones
* enforce only one autofocus attribute on settings pages
* set correct redirect status code
* fmt fix
This is mostly a 'feel' change. The behaviour that is currently on the
access tokens pages is, as far as I know, not present in any other parts
of the frontend, and there's no real good reason to keep the 'Generate
New Token' panel hidden by default in my opinion.
The choice regarding which forms should or should not trigger a warning
is subjective. I tried to be consistent and not warn about forms that:
- run an action, rather than edit data: search, send an email.
- delete data: a warning about losing data would be confusing
Note that forms on sign-in pages were already ignored (using a selector,
rather than an explicit class on the form element).
Fixes #3698.
* refactor struct's time to remove unnecessary memory usage
* use AsTimePtr simple code
* fix tests
* fix time compare
* fix template on gpg
* use AddDuration instead of Add
This commit improves templates readability, since all of them use consistent
indent with all template command blocks indented too.
1. Indents both HTML containers such as <div>, <p> and Go HTML template blocks
such as {{if}} {{with}}
2. Cleans all trailing white-space
3. Adds trailing last line-break to each file
The "PHP" formatting function doesn't add anything, except an undocumented date format.
All usages in the templates have been replaced with DateFmtShort and DateFmtLong for convenience.