* Do not display the raw OpenID error in the UI
If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.
Fix #4973
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update auth_openid.go
Place error log within the `err != nil` branch.
* add migration and basic UI for changing a user's theme
* update user themem
* use right text on button
* load theme based on users' selection
* load theme based on users' selection in pwa too
* update sample config
* delete older theme loading
* implement AfterLoad to set users' theme properly
* set up default theme when creating a user. This uses the installation wide theme
* use flash messages for error
* set default theme when creating a user from the cli
* fix @lunny review
* Show either sign up OR sign in
* disambiguate fresh start from adding recovery options
* use tabs to switch between account link flows
* add active to tab body as well
* changes as per discussion
* handle specific error; fix missing err typo
* Added basic heatmap data
* Added extra case for sqlite
* Built basic heatmap into user profile
* Get contribution data from api & styling
* Fixed lint & added extra group by statements for all database types
* generated swagger spec
* generated swagger spec
* generated swagger spec
* fixed swagger spec
* fmt
* Added tests
* Added setting to enable/disable user heatmap
* Added locale for loading text
* Removed UseTiDB
* Updated librejs & moment.js
* Fixed import order
* Fixed heatmap in postgresql
* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md
Co-Authored-By: kolaente <konrad@kola-entertainments.de>
* Added copyright header
* Fixed a bug to show the heatmap for the actual user instead of the currently logged in
* Added integration test for heatmaps
* Added a heatmap on the dashboard
* Fixed timestamp parsing
* Hide heatmap on mobile
* optimized postgresql group by query
* Improved sqlite group by statement
* redirect to login page after successfully activating account
* force users to change password if account was created by an admin
* force users to change password if account was created by an admin
* fixed build
* fixed build
* fix pending issues with translation and wrong routes
* make sure path check is safe
* remove unneccessary newline
* make sure users that don't have to view the form get redirected
* move route to use /settings prefix so as to make sure unauthenticated users can't view the page
* update as per @lafriks review
* add necessary comment
* remove unrelated changes
* support redirecting to location the user actually want to go to before being forced to change his/her password
* run make fmt
* added tests
* improve assertions
* add assertion
* fix copyright year
Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
* Fix open redirect vulnerability on login screen
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Reorder imports
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Replace www. from Domain too
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add LDAP Key Synchronization feature
Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
* Add migration: add login source id column for public_key table
* Only update keys if needed
* Add function to only list pubkey synchronized from ldap
* Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it.
* Only get keys belonging to current login source id
* Set default login source id to 0
* Some minor cleanup. Add integration tests (updete dep testify)
* Add support for U2F
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add vendor library
Add missing translations
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Minor improvements
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F support for Firefox, Chrome (Android) by introducing a custom JS library
Add U2F error handling
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F login page to OAuth
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Move U2F user settings to a separate file
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add unit tests for u2f model
Renamed u2f table name
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Fix problems caused by refactoring
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F documentation
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Remove not needed console.log-s
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add default values to app.ini.sample
Add FIDO U2F to comparison
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* refactor setting router code
splitted up one huge router settings file into the smaller files
representing the actual page structure
* move code to subfolder
* rename functions
* renamed files
* add copyright information
* moved avatar to profile page
* combined password change, email and account deletion into account settings page
* combined totp, access tokens, linked accounts and openid into security settings page
* move access tokens to applications settings page
* small change to restart drone build
* fix change avatar url on profile page
* redirect old settings urls to new ones
* enforce only one autofocus attribute on settings pages
* set correct redirect status code
* fmt fix
* Added user language setting
* Added translation string for setting
* Fixed import order + typo
* improved checking if the user has a language saved in the db
* The current saved language is now set a default inside the dropdown
* fmt
* When a user signs in and doesn't have a language saved, the current browser language is saved
* updated gitea-sdk
* Merge branch 'master' of https://github.com/go-gitea/gitea into save-user-language
# Conflicts:
# models/migrations/migrations.go
# models/migrations/v62.go
* Made tests work again
* trigger CI
* trigger CI
* fmt
* re-trigger that FUCKING CI SO IT REALLY PICKS UP THE LATEST COMMIT ISTEAD OF PREDENDING TO DO SO
* re-trigger that FUCKING CI SO IT REALLY PICKS UP THE LATEST COMMIT ISTEAD OF PREDENDING TO DO SO
* When loggin in, only the language col gets updated instead of everything
* Extended LANDINGPAGE config variable to logged in users and added switch for 'organizations' in addition to 'home' and 'explore'.
* Updated comments.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to trigger when user logs in and added switch for 'organizations' in addition to 'home' and 'explore'.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to logged in users and added switch for 'organizations' in addition to 'home' and 'explore'.
* Updated comments.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to trigger when user logs in and added switch for 'organizations' in addition to 'home' and 'explore'.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Removed superfluous conditional and correct whitespace.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Update app.ini
Reverted new line.
* Formatting.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Add repo type option to /api/repo/search
* Add tests and fix result of collaborative filter in specific condition
* Fix/optimize search & tests
* Improve integration tests
* Fix lint errors
* Fix unit tests
* Change and improve internal implementation of repo search
* Use NonexistentID
* Make search api more general
* Change mirror and fork search behaviour
* Fix tests & typo in comment
* Implementation of all repositories of a user from user->settings
* Update message when no repository found
* Update according to comments
* Change UI to have a better look
* improved user repositories UI
* Display all organization from user settings
* fix Tab selection
* Update locale_en-US.ini
* Add a condition for display Create organization button
* Remove french translation
* Remove unnecessary admin flag
* Forgot password should use ResetPwdCodeLives, not ActiveCodeLives
* Improve documentation for different send mail functions related to password reset
* Improve documentation in conf/app.ini regarding xxx_CODE_LIVE_MINUTES settings
* add google+
* sort signin oauth2 providers based on the name so order is always the same
* update auth tip for google+
* add gitlab provider
* add bitbucket provider (and some go fmt)
* add twitter provider
* add facebook provider
* add dropbox provider
* add openid connect provider incl. new format of tips section in "Add New Source"
* lower the amount of disk storage for each session to prevent issues while building cross platform (and disk overflow)
* imports according to goimport and code style
* make it possible to set custom urls to gitlab and github provider (only these could have a different host)
* split up oauth2 into multiple files
* small typo in comment
* fix indention
* fix indentation
* fix new line before external import
* fix layout of signin part
* update "broken" dependency
* Allow ENABLE_OPENID_SIGNUP to depend on DISABLE_REGISTRATION
Omit the configuration variable (the default) to be dependent.
Fixes #1363
* Move OpenID settings under Service object
* Show OpenID SignUp and SignIn status in admin panel / configuration
Also renames `forgot_password` translation key to
`forgot_password_title` and `forget_password` to
`forgot_password`
Includes entry in CHANGELOG about the breaking change
(and some markdown fixes in there)
It's helpful when you forgot your password thus cannot change it
(can happen if you log in via OAuth2 or OpenID)
Also make sure that both the delete-account and password-change
links to forgot-password will have the primary email pre-filled
* fixes #1050 where linking an account to a 2fa enabled account failed because we forgot to really link the account when 2fa is completed
* handle errors
* initial stuff for oauth2 login, fails on:
* login button on the signIn page to start the OAuth2 flow and a callback for each provider
Only GitHub is implemented for now
* show login button only when the OAuth2 consumer is configured (and activated)
* create macaron group for oauth2 urls
* prevent net/http in modules (other then oauth2)
* use a new data sessions oauth2 folder for storing the oauth2 session data
* add missing 2FA when this is enabled on the user
* add password option for OAuth2 user , for use with git over http and login to the GUI
* add tip for registering a GitHub OAuth application
* at startup of Gitea register all configured providers and also on adding/deleting of new providers
* custom handling of errors in oauth2 request init + show better tip
* add ExternalLoginUser model and migration script to add it to database
* link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed
* remove the linked external account from the user his settings
* if user is unknown we allow him to register a new account or link it to some existing account
* sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers)
* from gorilla/sessions docs:
"Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!"
(we're using gorilla/sessions for storing oauth2 sessions)
* use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
* Fix assigned/created issues in dashboard. (#3560)
* Fix assigned/created issues in dashboard.
* Use GetUserIssueStats for getting all Dashboard stats.
* Use gofmt to format the file properly.
* Replace &Issue{} with new(Issue).
* Check if user has access to given repository.
* Remove unnecessary filtering of issues.
* Return 404 error if invalid repository is given.
* Use correct number of issues in paginater.
* fix issues on dashboard
* feat: support search bar on star tab of user profile.
* fix: update testing.
* fix: Using loadAttributes
* fix: remove empty line.
* remove LOWER
Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
* Use relative URLs
* Notifications - Mark as read/unread
* Feature of pinning a notification
* On view issue, do not mark as read a pinned notification
- Add site-wide option DEFAULT_KEEP_EMAIL_PRIVATE.
- Add the new option to the install and admin/config pages.
- Add the new option to app.ini in the service section.
- Add the new option to the settings struct.
- Add English text strings to i18n.
- Add field KeepEmailPrivate to user struct.
- Add field KeepEmailPrivate to user form.
- Add option to UI.
- Add using noreply email address if user has "Keep Email Private".
An email address <LowerName>@<NO_REPLY_ADDRESS> is now used in commit
messages (and hopefully all other git log relevant places). The
change relies on the fact that git commands should use
user.NetGitSig().
- Add hiding of email address in UI, if user has set "Keep Email Private".
- Add condition to show email address only on explore/users and user
pages, if user has not set "Keep Email Private".
- Add noreply email in API if set "Keep Email Private".
- Add a new service setting NO_REPLY_ADDRESS. The value of this
setting is used as the domain part for the user's email address in
git log, iff he decides to keep his email address private.
If the user decides to keep his email address private and this
option is not set 'noreply.example.org' is used, which no MTA
should send email to.
Add NO_REPLY_ADDRESS to conf/app.ini.
* Tab on user profile to show starred repos
* Make golint happy and use transactions on StarRepo function
* x -> sess
* Use sess.Close() instead of sess.Rollback()
* Add copyright
* Fix lint
* Remove unused custom-alphabet feature of random string generator
Fix random string generator
Random string generator should return error if it fails to read random data via crypto/rand
* Fixes variable (un)initialization mixed assign
Update test GetRandomString
* golint fixed for parts of routers root, dev and org dirs
* add user/auth.go golint fixed
* rename unnecessary exported to unexported and user dir golint fixed
* Add support for federated avatars
Fixes #3105
Removes avatar fetching duplication code
Adds an "Enable Federated Avatar" checkbox in user settings
(defaults to unchecked)
Moves avatar settings all in the same form, making
local and remote avatars mutually exclusive
Renames UploadAvatarForm to AvatarForm
as it's not anymore only for uploading
* Run gofmt on all modified files
* Move Avatar form in its own page
* Add go-libravatar dependency to vendor/ dir
Hopefully helps with accepting the contribution.
See also #3214
* Revert "Add go-libravatar dependency to vendor/ dir"
This reverts commit a8cb93ae640bbb90f7d25012fc257bda9fae9b82.
* Make federated avatar setting a global configuration
Removes the per-user setting
* Move avatar handling back to base tool, disable federated avatar in offline mode
* Format, handle error
* Properly set fallback host
* Use unsupported github.com mirror for importing go-libravatar
* Remove comment showing life exists outside of github.com
... pity, but contribution would not be accepted otherwise
* Use Combo for Get and Post methods over /avatar
* FEDERATED_AVATAR -> ENABLE_FEDERATED_AVATAR
* Fix persistance of federated avatar lookup checkbox at install time
* Federated Avatars -> Enable Federated Avatars
* Use len(string) == 0 instead of string == ""
* Move import line where it belong
See
https://github.com/Unknwon/go-code-convention/blob/master/en-US/import_packages.md
Pity the import url is still the unofficial one, but oh well...
* Save a line (and waste much more expensive time)
* Remove redundant parens
* Remove an empty line
* Remove empty lines
* Reorder lines to make diff smaller
* Remove another newline
Unknwon review got me start a fight against newlines
* Move DISABLE_GRAVATAR and ENABLE_FEDERATED_AVATAR after OFFLINE_MODE
On re-reading the diff I figured what Unknwon meant here:
https://github.com/gogits/gogs/pull/3320/files#r73741106
* Remove newlines that weren't there before my intervention