Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Add API routes to lock and unlock issues (go-gitea#34165)
  Make ROOT_URL support using request Host header (go-gitea#32564)
  Valid email address should only start with alphanumeric (go-gitea#28174)
  Fix notify watch failure when the content is too long (go-gitea#34233)
  Add "--fullname" arg to gitea admin user create (go-gitea#34241)
  Fix various UI problems (go-gitea#34243)
  markup: improve code block readability and isolate copy button (go-gitea#34009)
  Don't assume the default wiki branch is master in the wiki API (go-gitea#34244)
  [skip ci] Updated translations via Crowdin
  Optimize the calling code of queryElems (go-gitea#34235)
  Actions Runner rest api (go-gitea#33873)
  Fix some trivial problems (go-gitea#34237)
  Swift files can be passed either as file or as form value (go-gitea#34068)

# Conflicts:
#	templates/repo/wiki/revision.tmpl

Author: zjjhot

cmd/admin_user_create.go

@@ -81,6 +81,10 @@ var microcmdUserCreate = &cli.Command{
 			Name:  "restricted",
 			Usage: "Make a restricted user account",
 		},
+		&cli.StringFlag{
+			Name:  "fullname",
+			Usage: `The full, human-readable name of the user`,
+		},
 	},
 }
 
@@ -191,6 +195,7 @@ func runCreateUser(c *cli.Context) error {
 		Passwd:             password,
 		MustChangePassword: mustChangePassword,
 		Visibility:         visibility,
+		FullName:           c.String("fullname"),
 	}
 
 	overwriteDefault := &user_model.CreateUserOverwriteOptions{

cmd/admin_user_create_test.go

@@ -50,17 +50,17 @@ func TestAdminUserCreate(t *testing.T) {
 		assert.Equal(t, check{IsAdmin: false, MustChangePassword: false}, createCheck("u5", "--must-change-password=false"))
 	})
 
-	createUser := func(name, args string) error {
-		return app.Run(strings.Fields(fmt.Sprintf("./gitea admin user create --username %s --email %s@gitea.local %s", name, name, args)))
+	createUser := func(name string, args ...string) error {
+		return app.Run(append([]string{"./gitea", "admin", "user", "create", "--username", name, "--email", name + "@gitea.local"}, args...))
 	}
 
 	t.Run("UserType", func(t *testing.T) {
 		reset()
-		assert.ErrorContains(t, createUser("u", "--user-type invalid"), "invalid user type")
-		assert.ErrorContains(t, createUser("u", "--user-type bot --password 123"), "can only be set for individual users")
-		assert.ErrorContains(t, createUser("u", "--user-type bot --must-change-password"), "can only be set for individual users")
+		assert.ErrorContains(t, createUser("u", "--user-type", "invalid"), "invalid user type")
+		assert.ErrorContains(t, createUser("u", "--user-type", "bot", "--password", "123"), "can only be set for individual users")
+		assert.ErrorContains(t, createUser("u", "--user-type", "bot", "--must-change-password"), "can only be set for individual users")
 
-		assert.NoError(t, createUser("u", "--user-type bot"))
+		assert.NoError(t, createUser("u", "--user-type", "bot"))
 		u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "u"})
 		assert.Equal(t, user_model.UserTypeBot, u.Type)
 		assert.Empty(t, u.Passwd)
@@ -75,7 +75,7 @@ func TestAdminUserCreate(t *testing.T) {
 
 		// using "--access-token" only means "all" access
 		reset()
-		assert.NoError(t, createUser("u", "--random-password --access-token"))
+		assert.NoError(t, createUser("u", "--random-password", "--access-token"))
 		assert.Equal(t, 1, unittest.GetCount(t, &user_model.User{}))
 		assert.Equal(t, 1, unittest.GetCount(t, &auth_model.AccessToken{}))
 		accessToken := unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{Name: "gitea-admin"})
@@ -85,7 +85,7 @@ func TestAdminUserCreate(t *testing.T) {
 
 		// using "--access-token" with name & scopes
 		reset()
-		assert.NoError(t, createUser("u", "--random-password --access-token --access-token-name new-token-name --access-token-scopes read:issue,read:user"))
+		assert.NoError(t, createUser("u", "--random-password", "--access-token", "--access-token-name", "new-token-name", "--access-token-scopes", "read:issue,read:user"))
 		assert.Equal(t, 1, unittest.GetCount(t, &user_model.User{}))
 		assert.Equal(t, 1, unittest.GetCount(t, &auth_model.AccessToken{}))
 		accessToken = unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{Name: "new-token-name"})
@@ -98,23 +98,38 @@ func TestAdminUserCreate(t *testing.T) {
 
 		// using "--access-token-name" without "--access-token"
 		reset()
-		err = createUser("u", "--random-password --access-token-name new-token-name")
+		err = createUser("u", "--random-password", "--access-token-name", "new-token-name")
 		assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
 		assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
 		assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
 
 		// using "--access-token-scopes" without "--access-token"
 		reset()
-		err = createUser("u", "--random-password --access-token-scopes read:issue")
+		err = createUser("u", "--random-password", "--access-token-scopes", "read:issue")
 		assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
 		assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
 		assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
 
 		// empty permission
 		reset()
-		err = createUser("u", "--random-password --access-token --access-token-scopes public-only")
+		err = createUser("u", "--random-password", "--access-token", "--access-token-scopes", "public-only")
 		assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
 		assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
 		assert.ErrorContains(t, err, "access token does not have any permission")
 	})
+
+	t.Run("UserFields", func(t *testing.T) {
+		reset()
+		assert.NoError(t, createUser("u-FullNameWithSpace", "--random-password", "--fullname", "First O'Middle Last"))
+		unittest.AssertExistsAndLoadBean(t, &user_model.User{
+			Name:      "u-FullNameWithSpace",
+			LowerName: "u-fullnamewithspace",
+			FullName:  "First O'Middle Last",
+			Email:     "[email protected]",
+		})
+
+		assert.NoError(t, createUser("u-FullNameEmpty", "--random-password", "--fullname", ""))
+		u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "u-fullnameempty"})
+		assert.Empty(t, u.FullName)
+	})
 }

custom/conf/app.example.ini

@@ -59,27 +59,16 @@ RUN_USER = ; git
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http'
-;; Note: Value must be lowercase.
+;; The protocol the server listens on. One of "http", "https", "http+unix", "fcgi" or "fcgi+unix".
 ;PROTOCOL = http
 ;;
-;; Expect PROXY protocol headers on connections
-;USE_PROXY_PROTOCOL = false
-;;
-;; Use PROXY protocol in TLS Bridging mode
-;PROXY_PROTOCOL_TLS_BRIDGING = false
-;;
-; Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
-;PROXY_PROTOCOL_HEADER_TIMEOUT=5s
-;;
-; Accept PROXY protocol headers with UNKNOWN type
-;PROXY_PROTOCOL_ACCEPT_UNKNOWN=false
-;;
-;; Set the domain for the server
+;; Set the domain for the server.
+;; Most users should set it to the real website domain of their Gitea instance.
 ;DOMAIN = localhost
 ;;
 ;; The AppURL used by Gitea to generate absolute links, defaults to "{PROTOCOL}://{DOMAIN}:{HTTP_PORT}/".
-;; Most users should set it to the real website URL of their Gitea instance.
+;; Most users should set it to the real website URL of their Gitea instance when there is a reverse proxy.
+;; When it is empty, Gitea will use HTTP "Host" header to generate ROOT_URL, and fall back to the default one if no "Host" header.
 ;ROOT_URL =
 ;;
 ;; For development purpose only. It makes Gitea handle sub-path ("/sub-path/owner/repo/...") directly when debugging without a reverse proxy.
@@ -90,13 +79,25 @@ RUN_USER = ; git
 ;STATIC_URL_PREFIX =
 ;;
 ;; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
-;; If PROTOCOL is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use.
+;; If PROTOCOL is set to "http+unix" or "fcgi+unix", this should be the name of the Unix socket file to use.
 ;; Relative paths will be made absolute against the _`AppWorkPath`_.
 ;HTTP_ADDR = 0.0.0.0
 ;;
-;; The port to listen on. Leave empty when using a unix socket.
+;; The port to listen on for "http" or "https" protocol. Leave empty when using a unix socket.
 ;HTTP_PORT = 3000
 ;;
+;; Expect PROXY protocol headers on connections
+;USE_PROXY_PROTOCOL = false
+;;
+;; Use PROXY protocol in TLS Bridging mode
+;PROXY_PROTOCOL_TLS_BRIDGING = false
+;;
+;; Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
+;PROXY_PROTOCOL_HEADER_TIMEOUT = 5s
+;;
+;; Accept PROXY protocol headers with UNKNOWN type
+;PROXY_PROTOCOL_ACCEPT_UNKNOWN = false
+;;
 ;; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server
 ;; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main
 ;; ROOT_URL.  Defaults are false for REDIRECT_OTHER_PORT and 80 for

models/actions/runner.go

@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/shared/types"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/translation"
 	"code.gitea.io/gitea/modules/util"
@@ -123,8 +124,15 @@ func (r *ActionRunner) IsOnline() bool {
 	return false
 }
 
-// Editable checks if the runner is editable by the user
-func (r *ActionRunner) Editable(ownerID, repoID int64) bool {
+// EditableInContext checks if the runner is editable by the "context" owner/repo
+// ownerID == 0 and repoID == 0 means "admin" context, any runner including global runners could be edited
+// ownerID == 0 and repoID != 0 means "repo" context, any runner belonging to the given repo could be edited
+// ownerID != 0 and repoID == 0 means "owner(org/user)" context, any runner belonging to the given user/org could be edited
+// ownerID != 0 and repoID != 0 means "owner" OR "repo" context, legacy behavior, but we should forbid using it
+func (r *ActionRunner) EditableInContext(ownerID, repoID int64) bool {
+	if ownerID != 0 && repoID != 0 {
+		setting.PanicInDevOrTesting("ownerID and repoID should not be both set")
+	}
 	if ownerID == 0 && repoID == 0 {
 		return true
 	}
@@ -168,6 +176,12 @@ func init() {
 	db.RegisterModel(&ActionRunner{})
 }
 
+// FindRunnerOptions
+// ownerID == 0 and repoID == 0 means any runner including global runners
+// repoID != 0 and WithAvailable == false means any runner for the given repo
+// repoID != 0 and WithAvailable == true means any runner for the given repo, parent user/org, and global runners
+// ownerID != 0 and repoID == 0 and WithAvailable == false means any runner for the given user/org
+// ownerID != 0 and repoID == 0 and WithAvailable == true means any runner for the given user/org and global runners
 type FindRunnerOptions struct {
 	db.ListOptions
 	IDs           []int64

models/fixtures/action_runner.yml

@@ -0,0 +1,40 @@
+-
+  id: 34346
+  name: runner_to_be_deleted-user
+  uuid: 3EF231BD-FBB7-4E4B-9602-E6F28363EF18
+  token_hash: 3EF231BD-FBB7-4E4B-9602-E6F28363EF18
+  version: "1.0.0"
+  owner_id: 1
+  repo_id: 0
+  description: "This runner is going to be deleted"
+  agent_labels: '["runner_to_be_deleted","linux"]'
+-
+  id: 34347
+  name: runner_to_be_deleted-org
+  uuid: 3EF231BD-FBB7-4E4B-9602-E6F28363EF19
+  token_hash: 3EF231BD-FBB7-4E4B-9602-E6F28363EF19
+  version: "1.0.0"
+  owner_id: 3
+  repo_id: 0
+  description: "This runner is going to be deleted"
+  agent_labels: '["runner_to_be_deleted","linux"]'
+-
+  id: 34348
+  name: runner_to_be_deleted-repo1
+  uuid: 3EF231BD-FBB7-4E4B-9602-E6F28363EF20
+  token_hash: 3EF231BD-FBB7-4E4B-9602-E6F28363EF20
+  version: "1.0.0"
+  owner_id: 0
+  repo_id: 1
+  description: "This runner is going to be deleted"
+  agent_labels: '["runner_to_be_deleted","linux"]'
+-
+  id: 34349
+  name: runner_to_be_deleted
+  uuid: 3EF231BD-FBB7-4E4B-9602-E6F28363EF17
+  token_hash: 3EF231BD-FBB7-4E4B-9602-E6F28363EF17
+  version: "1.0.0"
+  owner_id: 0
+  repo_id: 0
+  description: "This runner is going to be deleted"
+  agent_labels: '["runner_to_be_deleted","linux"]'

models/issues/issue_lock.go

@@ -12,8 +12,14 @@ import (
 
 // IssueLockOptions defines options for locking and/or unlocking an issue/PR
 type IssueLockOptions struct {
-	Doer   *user_model.User
-	Issue  *Issue
+	Doer  *user_model.User
+	Issue *Issue
+
+	// Reason is the doer-provided comment message for the locked issue
+	// GitHub doesn't support changing the "reasons" by config file, so GitHub has pre-defined "reason" enum values.
+	// Gitea is not like GitHub, it allows site admin to define customized "reasons" in the config file.
+	// So the API caller might not know what kind of "reasons" are valid, and the customized reasons are not translatable.
+	// To make things clear and simple: doer have the chance to use any reason they like, we do not do validation.
 	Reason string
 }
 

models/packages/package_version.go

@@ -279,9 +279,7 @@ func (opts *PackageSearchOptions) configureOrderBy(e db.Engine) {
 	default:
 		e.Desc("package_version.created_unix")
 	}
-
-	// Sort by id for stable order with duplicates in the other field
-	e.Asc("package_version.id")
+	e.Desc("package_version.id") // Sort by id for stable order with duplicates in the other field
 }
 
 // SearchVersions gets all versions of packages matching the search options

modules/httplib/url.go

@@ -70,11 +70,16 @@ func GuessCurrentHostURL(ctx context.Context) string {
 	// 1. The reverse proxy is configured correctly, it passes "X-Forwarded-Proto/Host" headers. Perfect, Gitea can handle it correctly.
 	// 2. The reverse proxy is not configured correctly, doesn't pass "X-Forwarded-Proto/Host" headers, eg: only one "proxy_pass http://gitea:3000" in Nginx.
 	// 3. There is no reverse proxy.
-	// Without an extra config option, Gitea is impossible to distinguish between case 2 and case 3,
-	// then case 2 would result in wrong guess like guessed AppURL becomes "http://gitea:3000/", which is not accessible by end users.
-	// So in the future maybe it should introduce a new config option, to let site admin decide how to guess the AppURL.
+	// Without more information, Gitea is impossible to distinguish between case 2 and case 3, then case 2 would result in
+	// wrong guess like guessed AppURL becomes "http://gitea:3000/" behind a "https" reverse proxy, which is not accessible by end users.
+	// So we introduced "UseHostHeader" option, it could be enabled by setting "ROOT_URL" to empty
 	reqScheme := getRequestScheme(req)
 	if reqScheme == "" {
+		// if no reverse proxy header, try to use "Host" header for absolute URL
+		if setting.UseHostHeader && req.Host != "" {
+			return util.Iif(req.TLS == nil, "http://", "https://") + req.Host
+		}
+		// fall back to default AppURL
 		return strings.TrimSuffix(setting.AppURL, setting.AppSubURL+"/")
 	}
 	// X-Forwarded-Host has many problems: non-standard, not well-defined (X-Forwarded-Port or not), conflicts with Host header.

modules/httplib/url_test.go

@@ -5,6 +5,7 @@ package httplib
 
 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 	"testing"
 
@@ -39,6 +40,25 @@ func TestIsRelativeURL(t *testing.T) {
 	}
 }
 
+func TestGuessCurrentHostURL(t *testing.T) {
+	defer test.MockVariableValue(&setting.AppURL, "http://cfg-host/sub/")()
+	defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
+	defer test.MockVariableValue(&setting.UseHostHeader, false)()
+
+	ctx := t.Context()
+	assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
+
+	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "localhost:3000"})
+	assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
+
+	defer test.MockVariableValue(&setting.UseHostHeader, true)()
+	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "http-host:3000"})
+	assert.Equal(t, "http://http-host:3000", GuessCurrentHostURL(ctx))
+
+	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "http-host", TLS: &tls.ConnectionState{}})
+	assert.Equal(t, "https://http-host", GuessCurrentHostURL(ctx))
+}
+
 func TestMakeAbsoluteURL(t *testing.T) {
 	defer test.MockVariableValue(&setting.Protocol, "http")()
 	defer test.MockVariableValue(&setting.AppURL, "http://cfg-host/sub/")()

modules/markup/html.go

@@ -71,7 +71,8 @@ var globalVars = sync.OnceValue(func() *globalVarsType {
 	// it is still accepted by the CommonMark specification, as well as the HTML5 spec:
 	//   http://spec.commonmark.org/0.28/#email-address
 	//   https://html.spec.whatwg.org/multipage/input.html#e-mail-state-(type%3Demail)
-	v.emailRegex = regexp.MustCompile("(?:\\s|^|\\(|\\[)([a-zA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9]{2,}(?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+)(?:\\s|$|\\)|\\]|;|,|\\?|!|\\.(\\s|$))")
+	// At the moment, we use stricter rule for rendering purpose: only allow the "name" part starting after the word boundary
+	v.emailRegex = regexp.MustCompile(`\b([-\w.!#$%&'*+/=?^{|}~]*@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9]{2,}(?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+)\b`)
 
 	// emojiShortCodeRegex find emoji by alias like :smile:
 	v.emojiShortCodeRegex = regexp.MustCompile(`:[-+\w]+:`)

modules/markup/html_email.go

@@ -3,7 +3,11 @@
 
 package markup
 
-import "golang.org/x/net/html"
+import (
+	"strings"
+
+	"golang.org/x/net/html"
+)
 
 // emailAddressProcessor replaces raw email addresses with a mailto: link.
 func emailAddressProcessor(ctx *RenderContext, node *html.Node) {
@@ -14,6 +18,14 @@ func emailAddressProcessor(ctx *RenderContext, node *html.Node) {
 			return
 		}
 
+		var nextByte byte
+		if len(node.Data) > m[3] {
+			nextByte = node.Data[m[3]]
+		}
+		if strings.IndexByte(":/", nextByte) != -1 {
+			// for cases: "[email protected]:owner/repo.git", "https://[email protected]/owner/repo.git"
+			return
+		}
 		mail := node.Data[m[2]:m[3]]
 		replaceContent(node, m[2], m[3], createLink(ctx, "mailto:"+mail, mail, "" /*mailto*/))
 		node = node.NextSibling.NextSibling