mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-27 04:43:59 +01:00
Merge pull request '[gitea] week 2024-47-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#5998) from earl-warren/wcp/2024-47-v9.0 into v9.0/forgejo
Some checks failed
testing / test-unit (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/redis:7.2 port:6379]) (push) Has been cancelled
testing / security-check (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/valkey:7.2 port:6379]) (push) Has been cancelled
testing / test-remote-cacher (map[image:ghcr.io/microsoft/garnet-alpine:1.0.14 port:6379]) (push) Has been cancelled
/ release (push) Has been cancelled
testing / test-remote-cacher (map[image:registry.redict.io/redict:7.3.0-scratch port:6379]) (push) Has been cancelled
testing / test-mysql (push) Has been cancelled
testing / backend-checks (push) Has been cancelled
testing / test-pgsql (push) Has been cancelled
testing / frontend-checks (push) Has been cancelled
testing / test-sqlite (push) Has been cancelled
Some checks failed
testing / test-unit (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/redis:7.2 port:6379]) (push) Has been cancelled
testing / security-check (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/valkey:7.2 port:6379]) (push) Has been cancelled
testing / test-remote-cacher (map[image:ghcr.io/microsoft/garnet-alpine:1.0.14 port:6379]) (push) Has been cancelled
/ release (push) Has been cancelled
testing / test-remote-cacher (map[image:registry.redict.io/redict:7.3.0-scratch port:6379]) (push) Has been cancelled
testing / test-mysql (push) Has been cancelled
testing / backend-checks (push) Has been cancelled
testing / test-pgsql (push) Has been cancelled
testing / frontend-checks (push) Has been cancelled
testing / test-sqlite (push) Has been cancelled
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5998 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This commit is contained in:
commit
6f825ab156
7 changed files with 56 additions and 35 deletions
|
@ -250,6 +250,9 @@ func (a *Action) GetActDisplayNameTitle(ctx context.Context) string {
|
|||
// GetRepoUserName returns the name of the action repository owner.
|
||||
func (a *Action) GetRepoUserName(ctx context.Context) string {
|
||||
a.loadRepo(ctx)
|
||||
if a.Repo == nil {
|
||||
return "(non-existing-repo)"
|
||||
}
|
||||
return a.Repo.OwnerName
|
||||
}
|
||||
|
||||
|
@ -262,6 +265,9 @@ func (a *Action) ShortRepoUserName(ctx context.Context) string {
|
|||
// GetRepoName returns the name of the action repository.
|
||||
func (a *Action) GetRepoName(ctx context.Context) string {
|
||||
a.loadRepo(ctx)
|
||||
if a.Repo == nil {
|
||||
return "(non-existing-repo)"
|
||||
}
|
||||
return a.Repo.Name
|
||||
}
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ const (
|
|||
// SanitizerRules implements markup.Renderer
|
||||
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
|
||||
return []setting.MarkupSanitizerRule{
|
||||
{Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile(playerClassName)},
|
||||
{Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile("^" + playerClassName + "$")},
|
||||
{Element: "div", AllowAttr: playerSrcAttr},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -37,9 +37,9 @@ func (Renderer) Extensions() []string {
|
|||
// SanitizerRules implements markup.Renderer
|
||||
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
|
||||
return []setting.MarkupSanitizerRule{
|
||||
{Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`data-table`)},
|
||||
{Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
|
||||
{Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
|
||||
{Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`^data-table$`)},
|
||||
{Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
|
||||
{Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
|
||||
}
|
||||
}
|
||||
|
||||
|
|
4
release-notes/5998.md
Normal file
4
release-notes/5998.md
Normal file
|
@ -0,0 +1,4 @@
|
|||
fix(security): [commit](https://codeberg.org/forgejo/forgejo/commit/53c546951115d9e269a2778f90e43b0cb413eab6) Fix and refactor markdown rendering
|
||||
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6ac04b8c7dcedb9c6d994bb2a8cd37580394d9dd) Fix oauth2 error handle not return immediately
|
||||
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/9f05c76b7b84f3cfafd4de22f5f18b87e4c79775) Fix nil panic if repo doesn't exist
|
||||
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/8cec637d08542535d1dc9689c22943cd3ffe1c45) Disable Oauth check if oauth disabled
|
|
@ -1013,6 +1013,8 @@ func SignInOAuthCallback(ctx *context.Context) {
|
|||
}
|
||||
if err, ok := err.(*go_oauth2.RetrieveError); ok {
|
||||
ctx.Flash.Error("OAuth2 RetrieveError: "+err.Error(), true)
|
||||
ctx.Redirect(setting.AppSubURL + "/user/login")
|
||||
return
|
||||
}
|
||||
ctx.ServerError("UserSignIn", err)
|
||||
return
|
||||
|
|
|
@ -327,6 +327,13 @@ func registerRoutes(m *web.Route) {
|
|||
}
|
||||
}
|
||||
|
||||
oauth2Enabled := func(ctx *context.Context) {
|
||||
if !setting.OAuth2.Enabled {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
reqMilestonesDashboardPageEnabled := func(ctx *context.Context) {
|
||||
if !setting.Service.ShowMilestonesDashboardPage {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
|
@ -516,16 +523,18 @@ func registerRoutes(m *web.Route) {
|
|||
m.Any("/user/events", routing.MarkLongPolling, events.Events)
|
||||
|
||||
m.Group("/login/oauth", func() {
|
||||
m.Group("", func() {
|
||||
m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
|
||||
m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
|
||||
// TODO manage redirection
|
||||
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
|
||||
}, ignSignInAndCsrf, reqSignIn)
|
||||
|
||||
m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
|
||||
m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
|
||||
m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
|
||||
m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
|
||||
m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
|
||||
m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
|
||||
m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
|
||||
m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
|
||||
}, oauth2Enabled)
|
||||
|
||||
m.Group("/user/settings", func() {
|
||||
m.Get("", user_setting.Profile)
|
||||
|
@ -567,17 +576,24 @@ func registerRoutes(m *web.Route) {
|
|||
}, openIDSignInEnabled)
|
||||
m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
|
||||
})
|
||||
m.Group("/applications/oauth2", func() {
|
||||
|
||||
m.Group("/applications", func() {
|
||||
// oauth2 applications
|
||||
m.Group("/oauth2", func() {
|
||||
m.Get("/{id}", user_setting.OAuth2ApplicationShow)
|
||||
m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
|
||||
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
|
||||
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
|
||||
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
|
||||
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
|
||||
})
|
||||
m.Combo("/applications").Get(user_setting.Applications).
|
||||
}, oauth2Enabled)
|
||||
|
||||
// access token applications
|
||||
m.Combo("").Get(user_setting.Applications).
|
||||
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
|
||||
m.Post("/applications/delete", user_setting.DeleteApplication)
|
||||
m.Post("/delete", user_setting.DeleteApplication)
|
||||
})
|
||||
|
||||
m.Combo("/keys").Get(user_setting.Keys).
|
||||
Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost)
|
||||
m.Post("/keys/delete", user_setting.DeleteKey)
|
||||
|
@ -755,12 +771,7 @@ func registerRoutes(m *web.Route) {
|
|||
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
|
||||
m.Post("/delete", admin.DeleteApplication)
|
||||
})
|
||||
}, func(ctx *context.Context) {
|
||||
if !setting.OAuth2.Enabled {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
})
|
||||
}, oauth2Enabled)
|
||||
|
||||
m.Group("/actions", func() {
|
||||
m.Get("", admin.RedirectToDefaultSetting)
|
||||
|
@ -883,12 +894,7 @@ func registerRoutes(m *web.Route) {
|
|||
m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret)
|
||||
m.Post("/delete", org.DeleteOAuth2Application)
|
||||
})
|
||||
}, func(ctx *context.Context) {
|
||||
if !setting.OAuth2.Enabled {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
})
|
||||
}, oauth2Enabled)
|
||||
|
||||
m.Group("/hooks", func() {
|
||||
m.Get("", org.Webhooks)
|
||||
|
|
|
@ -68,6 +68,9 @@ func grantAdditionalScopes(grantScopes string) string {
|
|||
// CheckOAuthAccessToken returns uid of user from oauth token
|
||||
// + non default openid scopes requested
|
||||
func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) {
|
||||
if !setting.OAuth2.Enabled {
|
||||
return 0, ""
|
||||
}
|
||||
// JWT tokens require a "."
|
||||
if !strings.Contains(accessToken, ".") {
|
||||
return 0, ""
|
||||
|
|
Loading…
Reference in a new issue