Merge pull request #2 from go-gitea/master

Merge branch 'master' of https://github.com/go-gitea/gitea

Author: CL-Jeremy

.drone.yml

@@ -13,13 +13,13 @@ workspace:
 steps:
   - name: deps-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make node_modules
 
   - name: lint-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make lint-frontend
     depends_on: [deps-frontend]
@@ -36,7 +36,7 @@ steps:
 
   - name: checks-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make checks-frontend
     depends_on: [deps-frontend]
@@ -50,7 +50,7 @@ steps:
 
   - name: build-frontend
     pull: always
-    image: node:10 # this step is kept at the lowest version of node that we support
+    image: node:14
     commands:
       - make frontend
     depends_on: [lint-frontend]
@@ -447,23 +447,13 @@ steps:
     commands:
       - git fetch --tags --force
 
-  - name: static-windows
-    pull: always
-    image: techknowlogick/xgo:go-1.14.x
-    commands:
-      - apt update && apt -y install curl
-      - curl -sL https://deb.nodesource.com/setup_12.x | bash - && apt -y install nodejs
-      - export PATH=$PATH:$GOPATH/bin
-      - make frontend generate release-windows
-    environment:
-      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
-      TAGS: bindata sqlite sqlite_unlock_notify
-
   - name: static
     pull: always
     image: techknowlogick/xgo:go-1.15.x
     commands:
-      - make release-linux release-darwin release-copy release-compress release-sources release-docs release-check
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
+      - export PATH=$PATH:$GOPATH/bin
+      - make release
     environment:
       GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
       TAGS: bindata sqlite sqlite_unlock_notify
@@ -558,8 +548,7 @@ steps:
     pull: always
     image: techknowlogick/xgo:go-1.15.x
     commands:
-      - apt update && apt -y install curl
-      - curl -sL https://deb.nodesource.com/setup_12.x | bash - && apt -y install nodejs
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
       - export PATH=$PATH:$GOPATH/bin
       - make release
     environment:

.editorconfig

@@ -11,7 +11,7 @@ trim_trailing_whitespace = false
 
 [*.{go,tmpl,html}]
 indent_style = tab
-indent_size = 4
+indent_size = 2
 
 [*.{less,css}]
 indent_style = space

Makefile

@@ -42,8 +42,10 @@ ifeq ($(HAS_GO), GO)
 endif
 
 ifeq ($(OS), Windows_NT)
+	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 else
+	GOFLAGS := -v
 	EXECUTABLE ?= gitea
 endif
 
@@ -55,7 +57,6 @@ endif
 
 GOFMT ?= gofmt -s
 
-GOFLAGS := -v
 EXTRA_GOFLAGS ?=
 
 MAKE_VERSION := $(shell $(MAKE) -v | head -n 1)
@@ -556,7 +557,7 @@ release-windows: | $(DIST_DIRS)
 		GO111MODULE=off $(GO) get -u src.techknowlogick.com/xgo; \
 	fi
 	@echo "Warning: windows version is built using golang 1.14"
-	CGO_CFLAGS="$(CGO_CFLAGS)" GO111MODULE=off xgo -go go-1.14.x -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" GO111MODULE=off xgo -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
 ifeq ($(CI),drone)
 	cp /build/* $(DIST)/binaries
 endif
@@ -680,7 +681,7 @@ pr\#%: clean-all
 golangci-lint:
 	@hash golangci-lint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		export BINARY="golangci-lint"; \
-		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.24.0; \
+		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.30.0; \
 	fi
 	golangci-lint run --timeout 5m
 

SECURITY.md

@@ -0,0 +1,10 @@
+# Reporting security issues
+
+The Gitea maintainers take security seriously.  
+If you discover a security issue, please bring it to their attention right away!
+
+### Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately to `[email protected]`.
+
+Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it.

cmd/doctor.go

@@ -127,6 +127,12 @@ var checklist = []check{
 		isDefault: false,
 		f:         runDoctorUserStarNum,
 	},
+	{
+		title:     "Enable push options",
+		name:      "enable-push-options",
+		isDefault: false,
+		f:         runDoctorEnablePushOptions,
+	},
 	// more checks please append here
 }
 
@@ -605,3 +611,28 @@ func runDoctorCheckDBConsistency(ctx *cli.Context) ([]string, error) {
 
 	return results, nil
 }
+
+func runDoctorEnablePushOptions(ctx *cli.Context) ([]string, error) {
+	numRepos := 0
+	_, err := iterateRepositories(func(repo *models.Repository) ([]string, error) {
+		numRepos++
+		r, err := git.OpenRepository(repo.RepoPath())
+		if err != nil {
+			return nil, err
+		}
+		defer r.Close()
+
+		if ctx.Bool("fix") {
+			_, err := git.NewCommand("config", "receive.advertisePushOptions", "true").RunInDir(r.Path)
+			return nil, err
+		}
+
+		return nil, nil
+	})
+
+	var prefix string
+	if !ctx.Bool("fix") {
+		prefix = "DRY RUN: "
+	}
+	return []string{fmt.Sprintf("%sEnabled push options for %d repositories.", prefix, numRepos)}, err
+}

cmd/hook.go

@@ -178,6 +178,7 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
+		GitPushOptions:                  pushOptions(),
 		ProtectedBranchID:               prID,
 		IsDeployKey:                     isDeployKey,
 	}
@@ -326,6 +327,7 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
+		GitPushOptions:                  pushOptions(),
 	}
 	oldCommitIDs := make([]string, hookBatchSize)
 	newCommitIDs := make([]string, hookBatchSize)
@@ -438,3 +440,17 @@ func hookPrintResults(results []private.HookPostReceiveBranchResult) {
 		os.Stderr.Sync()
 	}
 }
+
+func pushOptions() map[string]string {
+	opts := make(map[string]string)
+	if pushCount, err := strconv.Atoi(os.Getenv(private.GitPushOptionCount)); err == nil {
+		for idx := 0; idx < pushCount; idx++ {
+			opt := os.Getenv(fmt.Sprintf("GIT_PUSH_OPTION_%d", idx))
+			kv := strings.SplitN(opt, "=", 2)
+			if len(kv) == 2 {
+				opts[kv[0]] = kv[1]
+			}
+		}
+	}
+	return opts
+}

custom/conf/app.example.ini

@@ -497,9 +497,9 @@ DISABLE_GIT_HOOKS = false
 ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;Comma separated list of character classes required to pass minimum complexity.
-;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used.
-;Use "off" to disable checking.
-PASSWORD_COMPLEXITY = lower,upper,digit,spec
+;If left empty or no valid values are specified, the default is off (no checking)
+;Classes include "lower,upper,digit,spec"
+PASSWORD_COMPLEXITY = off
 ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt"
 PASSWORD_HASH_ALGO = pbkdf2
 ; Set false to allow JavaScript to read CSRF cookie
@@ -971,8 +971,8 @@ ACCESS_TOKEN_EXPIRATION_TIME=3600
 REFRESH_TOKEN_EXPIRATION_TIME=730
 ; Check if refresh token got already used
 INVALIDATE_REFRESH_TOKENS=false
-; OAuth2 authentication secret for access and refresh tokens, change this to a unique string.
-JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU
+; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
+JWT_SECRET=
 ; Maximum length of oauth2 token/cookie stored on server
 MAX_TOKEN_LENGTH=32767
 
@@ -985,7 +985,7 @@ NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,D
 ; Two Factor authentication with security keys
 ; https://developers.yubico.com/U2F/App_ID.html
 ;APP_ID = http://localhost:3000/
-; Comma seperated list of trusted facets
+; Comma separated list of trusted facets
 ;TRUSTED_FACETS = http://localhost:3000/
 
 ; Extension mapping to highlight class

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -323,7 +323,7 @@ set name for unique queues. Individual queues will default to
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
 - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\].
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
-- `PASSWORD_COMPLEXITY`: **lower,upper,digit,spec**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, the default values will be used. Possible values are: 
+- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
     - lower - use one or more lower latin characters
     - upper - use one or more upper latin characters
     - digit - use one or more digits

docs/content/doc/usage/push-options.en-us.md

@@ -0,0 +1,31 @@
+---
+date: "2020-07-06T16:00:00+02:00"
+title: "Usage: Push Options"
+slug: "push-options"
+weight: 15
+toc: true
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Push Options"
+    weight: 15
+    identifier: "push-options"
+---
+
+# Push Options
+
+In Gitea `1.13`, support for some [push options](https://git-scm.com/docs/git-push#Documentation/git-push.txt--oltoptiongt)
+were added.
+
+
+## Supported Options
+
+- `repo.private` (true|false) - Change the repository's visibility.  
+This is particularly useful when combined with push-to-create.
+- `repo.template` (true|false) - Change whether the repository is a template.
+
+Example of changing a repository's visibility to public:  
+```shell
+git push -o repo.private=false -u origin master
+```

integrations/repo_test.go

@@ -148,7 +148,7 @@ func TestViewRepoWithSymlinks(t *testing.T) {
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	htmlDoc := NewHTMLParser(t, resp.Body)
-	files := htmlDoc.doc.Find("#repo-files-table > TBODY > TR > TD.name > SPAN")
+	files := htmlDoc.doc.Find("#repo-files-table > TBODY > TR > TD.name")
 	items := files.Map(func(i int, s *goquery.Selection) string {
 		cls, _ := s.Find("SVG").Attr("class")
 		file := strings.Trim(s.Find("A").Text(), " \t\n")

models/avatar.go

@@ -41,7 +41,18 @@ func AvatarLink(email string) string {
 			Email: lowerEmail,
 			Hash:  sum,
 		}
-		_, _ = x.Insert(emailHash)
+		// OK we're going to open a session just because I think that that might hide away any problems with postgres reporting errors
+		sess := x.NewSession()
+		defer sess.Close()
+		if err := sess.Begin(); err != nil {
+			// we don't care about any DB problem just return the lowerEmail
+			return lowerEmail, nil
+		}
+		_, _ = sess.Insert(emailHash)
+		if err := sess.Commit(); err != nil {
+			// Seriously we don't care about any DB problems just return the lowerEmail - we expect the transaction to fail most of the time
+			return lowerEmail, nil
+		}
 		return lowerEmail, nil
 	})
 	return setting.AppSubURL + "/avatar/" + url.PathEscape(sum)

models/branches.go

@@ -98,9 +98,10 @@ func (protectBranch *ProtectedBranch) CanUserPush(userID int64) bool {
 }
 
 // IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
-func (protectBranch *ProtectedBranch) IsUserMergeWhitelisted(userID int64) bool {
+func (protectBranch *ProtectedBranch) IsUserMergeWhitelisted(userID int64, permissionInRepo Permission) bool {
 	if !protectBranch.EnableMergeWhitelist {
-		return true
+		// Then we need to fall back on whether the user has write permission
+		return permissionInRepo.CanWrite(UnitTypeCode)
 	}
 
 	if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {