Commit graph

583 commits

Author SHA1 Message Date
silverwind
6874fe90e5
Cleanup and use global style on popups (#17674)
* Cleanup and use global style on popups

- Fix typo 'poping' to 'popping'
- Remove most inline 'data-variation' attributes
- Initialize all popups with 'inverted tiny' variation

* misc tweaks

* rename to .tooltip, use jQuery

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-11-18 11:26:50 +08:00
zeripath
bbffcc3aec
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
    
This is an extensive PR attempting to fix these issues.

1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-11-16 18:18:25 +00:00
Kamil Domański
021df29623
Allow U2F 2FA without TOTP (#11573)
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.

Fixes #5410
Fixes #17495
2021-11-08 23:47:19 +01:00
qwerty287
f46e67b519
Move key forms before list and add cancel button (#17432)
* Move GPG form before list and add cancel button
* Move SSH form before list and add cancel button

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-10-28 18:55:48 +08:00
qwerty287
01fc24c78c
Add appearance section in settings (#17433)
* Add appearance section in settings

* Fix lint

* Fix lint

* Apply suggestions from code review

Co-authored-by: Lauris BH <lauris@nix.lv>

Co-authored-by: Lauris BH <lauris@nix.lv>
2021-10-27 23:40:08 +08:00
Nico Schieder
870f5fbc41
Add groups scope/claim to OIDC/OAuth2 Provider (#17367)
* Add groups scope/claim to OICD/OAuth2

Add support for groups claim as part of the OIDC/OAuth2 flow.
Groups is a list of "org" and "org:team" strings to allow clients to
authorize based on the groups a user is part of.

Signed-off-by: Nico Schieder <code@nico-schieder.de>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2021-10-22 17:19:24 +08:00
zeripath
e2a59c57fc
Fix dashboard repolist alignment and repolisting (#17355)
Unfortunately #17301 broke the restriction of the dashboard repolist to
the user's repos because it stopped passing in the uid for the current
user. This PR restores this.

There is also a weird alignment problem - not caused by that PR - where
the menu items in the repolist spread over multiple lines. This PR
simply reduces the padding on these items and switches the justification
of the flex elements to space-evenly.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-10-19 12:38:33 +08:00
wxiaoguang
4822eed99d
Disable form autofill (#17291)
]* fix aria-hidden and tabindex

* use {{template "base/disable_form_autofill"}} instead of {{DisableFormAutofill}}

Co-authored-by: zeripath <art27@cantab.net>
2021-10-19 01:08:41 +03:00
wxiaoguang
56362043d3
Frontend refactor: move Vue related code from index.js to components dir, and remove unused codes. (#17301)
* frontend refactor

* Apply suggestions from code review

Co-authored-by: delvh <dev.lh@web.de>

* Update templates/base/head.tmpl

Co-authored-by: delvh <dev.lh@web.de>

* Update docs/content/doc/developers/guidelines-frontend.md

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

* fix typo

* fix typo

* refactor PageData to pageData

* Apply suggestions from code review

Co-authored-by: delvh <dev.lh@web.de>

* Simply for the visual difference.

Co-authored-by: delvh <dev.lh@web.de>

* Revert "Apply suggestions from code review"

This reverts commit 4d78ad9b0e96ca180e0823de17659a2e0814c099.

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2021-10-15 10:35:26 +08:00
zeripath
268b2d0c91
Prevent leave changes dialogs due to autofill fields (#16912)
Add ignore-dirty to /user/settings/account
Add autocomplete="off" to push_mirror_address form on /:owner/:repo/settings

Fix #16861

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-02 13:14:37 +01:00
zeripath
e37342db0c
Add modals to Organization and Team remove/leave (#16471)
* Add modals to Organization and Team remove/leave

Add confirmation modals to Organization and Team remove and leave.

Fix #16215

Signed-off-by: Andrew Thornton <art27@cantab.net>

* avoid for-in

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Revert "avoid for-in"

This reverts commit 2af9a6f9d46ed31b6fc6e3a29e695577dcf09f75.

* Apply suggestions from code review

Co-authored-by: silverwind <me@silverwind.io>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-08-26 22:57:40 -04:00
zeripath
ba6baff696
Report the correct number of pushes on the feeds (#16811)
* Report the correct number of pushes on the feeds

Since the number of commits in the Action table has been limited to 5
the number of commits reported on the feeds page is now incorrectly also
limited to 5. The correct number is available as the Len and this PR
changes this to report this.

Fix #16804

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update templates/user/dashboard/feeds.tmpl

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-08-25 19:04:58 -04:00
KN4CK3R
0bd58d61e5
Added introspection endpoint. (#16752)
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-08-20 22:16:45 -04:00
KN4CK3R
d9ef43a712
Replace list.List with slices (#16311)
* Replaced list with slice.

* Fixed usage of pointer to temporary variable.

* Replaced LIFO list with slice.

* Lint

* Removed type check.

* Removed duplicated code.

* Lint

* Fixed merge.

Co-authored-by: 6543 <6543@obermui.de>
2021-08-09 14:08:51 -04:00
zeripath
5d2e11eedb
Refactor: Move login out of models (#16199)
`models` does far too much. In particular it handles all `UserSignin`.

It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in.

Therefore we should move this code out of `models`.

This code has to depend on `models` - therefore it belongs in `services`.

There is a package in `services` called `auth` and clearly this functionality belongs in there.

Plan:

- [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication.
- [x] Move `models.UserSignIn` into `auth`
- [x] Move `models.ExternalUserLogin`
- [x] Move most of the `LoginVia*` methods to `auth` or subpackages
- [x] Move Resynchronize functionality to `auth`
  - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files.
- [x] Move the rest of the LDAP functionality in to the ldap subpackage
- [x] Re-factor the login sources to express an interfaces `auth.Source`?
  - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future
- [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable
- [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2
  - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models.
  - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 
- [x] More simplifications of login_source.go may need to be done
- Allow wiring in of notify registration -  *this can now easily be done - but I think we should do it in another PR*  - see #16178 
- More refactors...?
  - OpenID should probably become an auth Method but I think that can be left for another PR
  - Methods should also probably be cleaned up  - again another PR I think.
  - SSPI still needs more refactors.* Rename auth.Auth auth.Method
* Restructure ssh_key.go

- move functions from models/user.go that relate to ssh_key to ssh_key
- split ssh_key.go to try create clearer function domains for allow for
future refactors here.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-07-24 11:16:34 +01:00
Stanley Hu
08ef45b359
Add fluid to ui container class to remove margin (#16396) 2021-07-20 08:22:23 +02:00
Jonathan Herlin
fd3f149abd
Improve 2FA autofill (#16473)
This improves the autofill suggestion on mobile devices and some password managers
2021-07-18 02:06:22 +02:00
a1012112796
ec357833bc
show tag name on dashboard items list (#16466)
fix #16458

Signed-off-by: a1012112796 <1012112796@qq.com>
2021-07-17 23:21:04 +02:00
zeripath
93f31e1897
Update notification table with only latest data (#16445)
When marking notifications read the results may be returned out of order
or be delayed.  This PR sends a sequence number to gitea so that the
browser can ensure that only the results of the latest notification
change are shown.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-07-17 17:18:10 +01:00
Meano
423a0fccb6
Fix activation of primary email addresses (#16385)
* fix: primary email cannot be activated

* Primary email should be activated together with user account when
'RegisterEmailConfirm' is enabled.

* To fix the existing error state. When 'RegisterEmailConfirm' is enabled, the
admin should have permission to modify the activations status of user email.
And the user should be allowed to send activation to primary email.

* Only judge whether email is primary from email_address table.

* Improve logging and refactor isEmailActive

Co-authored-by: zeripath <art27@cantab.net>
2021-07-13 22:59:27 +02:00
zeripath
b82293270c
Add option to provide signature for a token to verify key ownership (#14054)
* Add option to provide signed token to verify key ownership

Currently we will only allow a key to be matched to a user if it matches
an activated email address. This PR provides a different mechanism - if
the user provides a signature for automatically generated token (based
on the timestamp, user creation time, user ID, username and primary
email.

* Ensure verified keys can act for all active emails for the user

* Add code to mark keys as verified

* Slight UI adjustments

* Slight UI adjustments 2

* Simplify signature verification slightly

* fix postgres test

* add api routes

* handle swapped primary-keys

* Verify the no-reply address for verified keys

* Only add email addresses that are activated to keys

* Fix committer shortcut properly

* Restructure gpg_keys.go

* Use common Verification Token code

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-07-13 15:28:07 +02:00
KN4CK3R
aac663e0da
Implemented head_commit for webhooks (#16282)
* Removed Len field.

* Added head_commit webhook field.

* Added comment for returns.
2021-06-29 15:34:03 +02:00
6543
0b27b93728
Make allowed Visiblity modes configurable for Users (#16271)
Now that #16069 is merged, some sites may wish to enforce that users are all public, limited or private, and/or disallow users from becoming private.

This PR adds functionality and settings to constrain a user's ability to change their visibility.

Co-authored-by: zeripath <art27@cantab.net>
2021-06-27 19:47:35 +01:00
Sergey Dryabzhinsky
22a0636544
Add Visible modes function from Organisation to Users too (#16069)
You can limit or hide organisations. This pull make it also posible for users

- new strings to translte
- add checkbox to user profile form
- add checkbox to admin user.edit form
- filter explore page user search
- filter api admin and public user searches
- allow admins view "hidden" users
- add app option DEFAULT_USER_VISIBILITY
- rewrite many files to use Visibility field
- check for teams intersection
- fix context output
- right fake 404 if not visible

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Andrew Thornton <art27@cantab.net>
2021-06-26 20:53:14 +01:00
John Olheiser
622f1e764c
Add better errors for disabled account recovery (#15117)
Signed-off-by: jolheiser <john.olheiser@gmail.com>

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
2021-06-25 23:16:36 -05:00
6543
889dea8fc1
Remove User.GetOrganizations() (#14032)
as title
2021-06-18 19:00:53 +02:00
KN4CK3R
29695cd6d5
Add asymmetric JWT signing (#16010)
* Added asymmetric token signing.

* Load signing key from settings.

* Added optional kid parameter.

* Updated documentation.

* Add "kid" to token header.
2021-06-17 23:56:46 +02:00
KN4CK3R
1295e750b4
Add OpenID claims "profile" and "email". (#16141)
* Added OpenID claims "profile" and "email".

* Splitted error.

* Added scopes_supported and claims_supported.

* Added more metadata.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-06-14 13:33:16 +03:00
silverwind
308b562b3c
Remove remaining fontawesome usage in templates (#15952)
Can not remove the dependency yet because easymde depends on it.
2021-05-22 23:29:46 +02:00
silverwind
a32bfd867d
Issue sidebar and misc css fixes (#15524)
- Replace remaining font icons with SVG in issue sidebar
- Rework issue due date display
- Realign avatar in timeline
- Fix font size in repo search and code explore
- Consolidate active button styles
- Fix loading form on arc-green
- Align time tracker buttons vertically

Fixes: https://github.com/go-gitea/gitea/issues/15896
2021-05-16 22:18:18 +02:00
zeripath
f582ec4e53
Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username

ReverseProxy users should generate a session on reverse proxy username change.

Also prevent ReverseProxy users from changing their username.

Fix #2407

* add testcase

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-05-15 20:33:13 +02:00
6543
a229e34387
Allow only internal registration (#15795)
* Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings

* OpenID respect setting too
2021-05-09 16:13:35 +02:00
6543
640066840e
Use a generic markup class to display externally rendered files and diffs (#15735)
* creates and implements generic markup less class

* How to give custom CSS to externally rendered html

* Clarifies sources of CSS styling of markup

* further clarification of sources of markup styling

* rename _markdown to _markup

* remove defunct import

* fix orphaned reference

* Update docs/content/doc/advanced/external-renderers.en-us.md

* more renames markdown -> markup

* do not suggest less customization

* add back tokens

* fix class whitespace, remove useless if-clause

* remove unused csv-data rules

* use named exports and rename functions

* sort imports

Co-authored-by: HarvsG <11440490+HarvsG@users.noreply.github.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: silverwind <me@silverwind.io>
2021-05-07 10:43:41 +02:00
N. L. H
45970ae82e
Feature/oauth userinfo (#15721)
* Implemented userinfo #8534

* Make lint happy

* Add userinfo endpoint to openid-configuration

* Give an error when uid equals 0

* Implemented BearerTokenErrorCode handling

* instead of ctx.error use ctx.json so that clients
parse error and error_description correctly

* Removed unneeded if statement

* Use switch instead of subsequent if statements
Have a default for unknown errorcodes.

Co-authored-by: Nils Hillmann <hillmann@nlh-software.de>
Co-authored-by: nlhsoftware <nlhsoftware@noreply.localhost>
2021-05-06 01:30:15 -04:00
KN4CK3R
7670c1c99e
Fixed several activation bugs (#15473)
* Removed unneeded form tag.

* Fixed typo.

* Fixed NPE.

* Use better error page.

* Splitted GET and POST.
2021-04-30 22:21:33 +02:00
KN4CK3R
c80d7f33b6
Unified link creation. (#15619) 2021-04-30 19:25:13 +02:00
techknowlogick
024ef3940f
add well-known config for OIDC (#15355)
* add well-known config for OIDC

* spacing per feedback

* Update oidc_wellknown.tmpl

* add id_token

* Update oidc_wellknown.tmpl

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-04-15 22:32:00 -04:00
Kyle D
f44543a1bb
Disable Stars config option (#14653)
* Add config option to disable stars

* Replace "stars" with watched in user profile

* Add documentation
2021-04-15 18:53:57 +02:00
KN4CK3R
cf8f66e5dc
Use subdir for URL (#15446)
Fixes #15444
2021-04-14 20:43:17 +01:00
KN4CK3R
bf3e584de2
Fix repository search (#15428)
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-04-12 22:09:46 -04:00
silverwind
d848098f60
Enforce tab indentation in templates (#15289)
* Enforce tab indendation in templates

This adds editorconfig-checker [1] to lint the template files so they
conform the editorconfig files. I fixed all current identation issues
using the fix mode of eclint [2] and some manual corrections.

We can extend this linting to other files later, for now I'd like this
PR to focus on HTML template files only.

[1] https://github.com/editorconfig-checker/editorconfig-checker
[2] https://github.com/jedmao/eclint

* fix indendation

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-04-10 23:46:37 -04:00
silverwind
216976247c
Remove usage of JS globals (#15378)
Refactor the exported globals in index.js to JS-initialized event
handlers.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-04-09 19:42:38 -04:00
Roger Luo
fa06e98553
Add dashboard milestone search and repo milestone search by name (#14866)
Feature for issue #13845:
 - Add milestones search by name on dashboard milestones page.
 - Add milestones search by name on repo issue/milestones page.
2021-04-08 13:53:59 +02:00
Jimmy Praet
6b836ac5f7
fix org navbar (#15173) 2021-03-26 22:15:13 +01:00
silverwind
1a03fa7a4f
Update JS dependencies (#15033)
* Update JS dependencies

- Update all JS dependencies
- For octicons, rename trashcan to trash
- For svgo, migrate to v2 api, output seems to have slightly changed but icons look the same
- For stylelint, update config, fix custom property duplicates
- For monaco, drop legacy Edge support
- For eslint, enable new rules, fix new issues
- For less-loader, remove deprecated import syntax

* update svgo usage in generate-images and rebuild logo.svg with it
2021-03-22 05:04:19 +01:00
Norwin
598dd21cd4
org dashboard: move teamselector left (#14954)
Co-authored-by: zeripath <art27@cantab.net>
2021-03-17 18:45:16 -04:00
zeripath
20f13bfdfc
Fix a couple of issues with a feeds (#14897)
@CirnoT spotted a couple of issues with feeds on discord.

This PR fixes both of these.
2021-03-06 05:09:49 +01:00
6543
a4148c0f12
Repository transfer has to be confirmed, if user can not create repo for new owner (#14792)
* make repo as "pending transfer" if on transfer start doer has no right to create repo in new destination

* if new pending transfer ocured, create UI & Mail notifications
2021-03-01 01:47:30 +01:00
Mike L
4172b1955f
Fix dashboard UI bugs and more (#14767)
This PR fixes a few UI bugs I spontaneously encountered:

- Fixes emojis in repo titles getting head-cut and tail-cut in dashboard feed due to introduction of 1.25 em emojis at 1 em line-height, by simply using the original 1 3/7 em value of `semantic.css`
- Fixes regression (too long repo names should be capped to 70%) in #13828 due to flex children not respecting properties like `overflow: hidden;`, and removes a block of dead style code
- Follow-up to #14761, removes extraneous code for top navbar and correct right margin for Font Awesome
- Fixes color emphasis inversion in arc-green theme for top right buttons (edit, delete) on commit view boxes
2021-02-25 13:35:43 +01:00
a1012112796
cd8b2f3273
Fix double alert in oauth2 application edit view (#14764)
Signed-off-by: a1012112796 <1012112796@qq.com>
2021-02-22 03:51:45 +01:00