`go vet ./...` (finally runnable with a local Go toolchain) surfaced three
pre-existing failures that prevented the whole test tree from compiling — which
is very likely why the "Project CI / Tests" job never went green. None relate to
#727; all pre-existing on main.
- modules/util/util_test.go: CryptoRandomInt/String/Bytes now return (value,
error); the tests used single-value assignment. Updated to capture + assert
the error (and dropped a now-redundant `var err error`).
- tests/integration/auth_oauth2_test.go: `newFakeOIDCServer` was declared twice
with different signatures (redeclaration = build failure). Renamed the
config-struct variant to `newFakeOIDCServerWithConfig` and updated its caller;
the (sub, oid) variant keeps the original name for its caller.
- routers/web/repo/issue_comment.go: removed a redundant `&& statusIDStr != ""`
duplicate condition (vet: redundant and).
Verified: `go vet ./modules/util` clean; full `go vet ./...` re-run.
Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
Adds org-level tag protection as a parallel to org-level branch protection.
An org tag rule is {NamePattern, AllowlistTeamIDs}; it cascades to every repo
in the org and layers on top of the repo's own protected tags — a tag is
controllable (push/delete) only if allowed at BOTH levels (fail-closed).
- models/git/org_protected_tag.go: OrgProtectedTag model + CRUD +
ToProtectedTag() (reuses the ProtectedTag matcher/allowlist logic) +
IsUserAllowedToControlTagInRepo() which ANDs the repo decision with the org
decision. Migration 363.
- API: /orgs/{org}/tag_protections CRUD (routers/api/v1/org/tag_protection.go,
DTOs in modules/structs/org_tag.go, wired in api.go).
- Enforcement: the git push/delete hook (hook_pre_receive.go) and the two
release paths (release.go create/delete) now call the layered check, so no
per-site tag logic changes beyond swapping the helper.
- View: the repo Tag settings page lists inherited org tag rules read-only.
Stacked on #728 (branch-protection PR) for migration ordering — merge #728
first. Swagger annotations omitted (can't regenerate the swagger JSON without
the toolchain); routes still register.
Note: no Go toolchain available locally, so not compiled/gofmt'd/tested here.
Hand-verified: gofmt (tabs, no blank-in-block, struct alignment), template
nesting balances, all .Rule fields exist on OrgProtectedTag, all locale keys
defined, JSON valid, migration contiguous (363).
Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
Two related additions:
1. Branch deletion as an org-level ability. OrgProtectedBranch gained
CanDelete / EnableDeleteAllowlist / DeleteAllowlistTeamIDs (migration 362),
ToProtectedBranch maps them, and the API (create/edit/response DTOs +
handlers) exposes enable_delete / enable_delete_allowlist /
delete_allowlist_teams. The layering merge already combined delete fields, so
org delete-protection now enforces once ToProtectedBranch populates them.
2. The repo Branch Protection view now renders each inherited org rule as an
expandable detail (direct push, force-push, branch deletion, merge, required
approvals, status checks, protected files) with team names resolved, instead
of three headline badges. Still read-only.
Note: no Go toolchain available locally, so not compiled/gofmt'd/tested here.
Verified by hand: struct-field gofmt alignment, template block nesting balances,
every .Rule field exists on OrgProtectedBranch, and all locale keys referenced
in the template are defined.
Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
The org "floor" is enforced implicitly at the choke point, so a repo admin
couldn't see which org-level rules apply to their repo. Surface them in the
repo's Branch Protection settings page (read-only), the way GitHub shows
organization rulesets in a repository.
- ProtectedBranchRules handler: when the owner is an org, load
FindOrgProtectedBranchRules and expose them as OrgProtectedBranches.
- branches.tmpl: new read-only "Organization Branch Protection" section listing
each org rule with an "Organization" badge, a lock/read-only marker, and
compact indicators (required approvals, signed commits, status checks). No
edit/delete controls — these are managed at the org level.
- en-US locale strings.
Note: no Go toolchain available locally, so not compiled/gofmt'd/tested here.
Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
#720: org Teams page wrote ctx.Data["OrgListTeams"] but the template iterates .Teams, so no teams rendered. Use the canonical Teams key (matches org/home.go). #721: issue type sidebar gated editing on a FieldEditFlags data key that no handler sets (always nil -> always read-only). Use HasIssuesOrPullsWritePermission like the priority field; the /custom-type endpoint is already protected by reqRepoIssuesOrPullsWriter.
Backport #38009
The OAuth2 sign-in callback unconditionally set IsActive=true on the
local user row whenever the IdP authenticated them, silently undoing an
administrator's "Disable Account" action and granting the user a fresh
session in the same response. Treat the local IsActive flag as an
authoritative admin override: inactive users get a session and are
routed through the existing activate / prohibit-login pages by
verifyAuthWithOptions, matching the local-credentials sign-in path.
Adds an integration regression test that disables a linked local user
and asserts the row stays IsActive=false after a full OIDC callback.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #38074Fixes#38062.
Private repositories with a code unit configured for **anonymous read
access** (Settings → Public Access → Code: anonymous view) could not be
cloned without credentials. The git HTTP auth gate (`httpBase`) only
bypassed authentication for non-private repos, ignoring the per-unit
anonymous access setting entirely.
- Check anonymous permissions via
`access_model.GetDoerRepoPermission(ctx, repo, nil)` + `CanAccess`
before requiring auth on pull operations, so the per-unit
`AnonymousAccessMode` is respected through the existing permission model
- This also correctly handles `setting.Repository.ForcePrivate` (which
the naive direct-field check would have missed)
- Push (receive-pack) and `RequireSignInViewStrict` continue to require
credentials as before
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #38103
- Enforce org visibility on organization label read endpoints (private
org labels no longer leak to non-members).
- Block fork sync (`merge-upstream`) when the base repo is no longer
readable (stops pulling commits after a parent goes private).
- Remove `REVERSE_PROXY_LIMIT` / `REVERSE_PROXY_TRUSTED_PROXIES` from
the Docker `app.ini` templates (the `= *` default allowed
`X-WEBAUTH-USER` impersonation; reverse-proxy auth is now opt-in and
admin-configured).
- Enforce single-use TOTP passcodes across web login, password-reset,
and Basic-Auth `X-Gitea-OTP` (fixes a TOCTOU race and a stateless
replay).
- Re-check branch write permission for every ref in a push (the
pre-receive hook cached the first ref's result, letting a per-branch
maintainer-edit grant escalate to full repo write).
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #37875
This fixes an OIDC sign-in edge case where a stale `external_login_user`
record can still point to an organization or a deleted user.
In that situation, Gitea may keep resolving the external login to the
wrong account during sign-in. For affected instances, this matches the
behavior reported in #36439 and #37812, where a user signing in with
OIDC/Entra ID could appear as an organization, or hit a 404 after that
organization was removed.
- validate the user resolved from `external_login_user` during
OAuth2/OIDC login
- ignore stale links when the linked user no longer exists
- ignore stale links when the linked user is not an individual user
- remove the stale external login row so the sign-in flow can relink the
external account to the correct user
- Fixes#37812
- Related to #36439
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
Co-authored-by: bircni <bircni@icloud.com>
Backport #38108
- Enforce repository token scope on RSS/Atom feed endpoints so a PAT
without repo scope can no longer read private repo commit data.
- Block HTTP redirects during repository migration clones to prevent
SSRF reaching internal addresses via an attacker-controlled redirect.
- Redact the notification subject after repo access is revoked so
private issue/PR metadata is no longer leaked through the notification
API.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
4 built-in presets: default, software-development, support-tickets,
bug-tracking. API endpoints to list presets, apply to org, and copy
statuses between orgs. Web UI dropdown on org settings page.
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
Add configurable per-user/team/deploy-key allowlist for deleting
protected branches. Previously, protected branches could never be
deleted via git push. Now admins can configure deletion permissions
with the same granularity as force-push allowlists.
- 6 new model fields: CanDelete, EnableDeleteAllowlist, DeleteAllowlistUserIDs/TeamIDs, DeleteAllowlistDeployKeys, DeleteAllowlistActionsUser
- CanUserDelete() method with admin-level default (higher than push)
- Migration v361 adds columns to protected_branch table
- Pre-receive hook checks delete allowlist instead of unconditional block
- CanDeleteBranch service uses CanUserDelete instead of IsBranchProtected
- API create/edit endpoints support delete allowlist fields
- Web UI settings page with radio buttons and user/team dropdowns
- 12 new locale strings for the delete allowlist UI
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
Add PATCH /users/{username}/tokens/{id} API endpoint and web UI edit
button so token scopes can be modified after creation without having
to delete and recreate the token.
- Migration v360: adds deploy_host, deploy_port, deploy_user, deploy_path,
docker_image, docker_registry, container_name, health_url to repo_manifest
- API: GET/PUT /metadata now includes deploy fields
- Settings: preserve deploy fields on web UI save
- Remove 4 unneeded workflows (gitleaks, npm-publish, notify, workflow-sync)
- gitleaks will become built-in (#692)
- npm-publish/notify not applicable to Go repo
- workflow-sync moving to MokoCLI
- Web: WikiSearch handler with case-insensitive search of titles and content
- Web: search.tmpl with search form and results display
- Web: "Search wiki" link added to wiki dropdown menu
- API: GET /wiki/search?q=term endpoint with pagination
- Recursive traversal handles nested folder wikis
CategoryPage was defined inside WikiCategory() but referenced by
scanCategoryEntries() which is a top-level function. Renamed to
wikiCategoryPage and moved to package scope.
Print view: clean rendering without navigation chrome for printing.
ZIP export: download entire wiki as ZIP archive of markdown files.
Folder ACL: _access.yml per-folder write protection with role checks.
Resolve merge conflicts between #674 and #675 implementations.
ToC can be controlled via frontmatter: toc=false disables, toc=inline
shows at top of content instead of sidebar. Sidebar ToC is now
collapsible via <details> and sticky on scroll. Inline ToC also
uses collapsible <details> with "Contents" header.
Add {{template:Name|key=val}} syntax for embedding reusable content.
Templates stored as _Template/Name.md with {{{key}}} parameter
substitution. Recursive with depth limit of 5. _Template folder
hidden from sidebar tree.
Add categories support using frontmatter: categories: [arch, api, ref]
Categories render as clickable tags at the bottom of wiki pages.
Category index page lists all pages tagged with a given category.
Frontmatter is stripped before markdown rendering.
Compare a wiki commit against its parent showing added/removed lines
with color-coded diff view. Accessible via diff icon button in wiki
page header and from revision history. Shows commit metadata
(author, message, timestamp) alongside the diff.
When a wiki page is renamed, automatically create a redirect file at
the old path with YAML frontmatter (redirect: new/path). The redirect
is detected in renderViewPage() before markdown rendering, issuing an
HTTP redirect with a flash message "Redirected from OldPage".
Shows all recent wiki edits with page name, author, edit summary,
and timestamp. Paginated. Accessible via "Recent changes" in the
wiki pages dropdown menu.
Add Wikipedia-style [[Page Name]] and [[Page|Display Text]] syntax.
Existing pages render as normal links; non-existent pages render as
red "new page" links. Supports [[folder/Page]], [[Page#Section]],
and [[#Anchor]] patterns.
Scan all wiki pages for references to the current page and display
them on a dedicated backlinks page. Uses content search across
markdown files (no database needed). Adds cross-reference button
to wiki page header.
Add IsRequired field to IssueStatusDef. Open and Closed statuses are
seeded as required and cannot be deleted. Delete attempts return an
error flash in the web UI and ErrStatusRequired in the model layer.
API response now includes is_required field.
Replace flat page list with hierarchical folder tree in org wiki sidebar.
_Sidebar.md takes precedence when present; otherwise auto-generates
collapsible folder menus up to 2 levels deep.
Admin page at /-/admin/license-tiers for managing product tiers:
- Tier list with key, name, repos, max domains, license count, sort order
- Create new tier form with repo input
- Delete tier (blocked if active licenses exist)
- Nav item added to admin sidebar
- Fix log message in FindOwnerProfileReadme (was "GetRepositoryByName", now "GetDoerRepoPermission")
- Add profile repo fallback to findOrgWikiCommit in wiki.go
- Extract ProfileRepoFallbacks helper for reuse across packages
Co-Authored-By: Claude <noreply@anthropic.com>
Primary profile repo name is now .mokogitea with fallback chain:
.mokogitea > .profile > .github (and their -private variants).
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove DisplayName field from RepoMetadata and UpdateStreamConfig
- Add DerivedDisplayName() method: "{Type} - {Name}" (e.g. "Package - MokoSuiteBackup")
- API returns computed display_name in GET, ignores it on PUT
- Update server feeds use DerivedDisplayName() instead of stored value
- Remove display_name from web forms (repo licensing, org update streams)
- License settings API computes display_name from repo metadata
- Migration v358: drop display_name columns from both tables
Rename package_type column and Go field to extension_type across
model, API, update server, manifest sync, settings UI, and changelog.
SQL migration renames the column. XML tag <package-type> in
.mokogitea/manifest.xml is unchanged (backward compat).
Fixes#646
AutoElementName() was using m.Name without lowercasing or cleaning,
producing elements like pkg_MokoSuiteBackup instead of
pkg_mokosuitebackup. Added cleanJoomlaElement() to replicate
Joomla's InputFilter::clean('cmd') behavior.
Removed incorrect "plugin": "plg_" — Joomla plugins use bare names.
Renamed RepoManifest → RepoMetadata across all non-migration Go
files. DB table remains repo_manifest for backward compatibility.
Migration files unchanged to preserve migration chain.
API endpoints /manifest and /metadata both continue to work
(backward compat route preserved in api.go).
Fixes#635
Review fixes:
- Propagate updateDomainRestriction error in grace-period path instead
of silently discarding it (was same bug class as the TOCTOU fix)
- Propagate IsDomainKnownForKey error inside transaction — discarding
it defeated the atomicity guarantee
- Wrap updateDomainRestriction error with context message
- Use boolean flags for changelog manifest fallback instead of fragile
sentinel comparison against strings.ToLower(repo.Name)
- Type-assert ctx.Data["RepoUpdatePlatform"] to string instead of
comparing interface{} values
- Use log.Warn instead of log.Error for manifest fallback (intentional
degradation, not a failure)
- Clarify comments: doc comment scope, hyphen removal wording
Three fixes for the Joomla update server system:
1. changelog_xml.go: Resolve element name from manifest first (same
priority as updates.xml) so changelog.xml and updates.xml emit
matching <element> values. Previously only checked the config table.
2. updateserver.go: Only serve Joomla XML when platform is joomla,
both, or unset. Previously only blocked dolibarr, meaning WordPress/
PrestaShop/Drupal/WHMCS repos incorrectly served Joomla XML.
3. license_key.go: Wrap domain auto-association in db.WithTx to prevent
TOCTOU race where concurrent requests from different domains could
exceed MaxSites. Also removes a duplicate site-limit check that was
unreachable dead code.
- License field is now a dropdown with common SPDX identifiers
- License name auto-derived from SPDX (spdxToName map)
- Preserve hidden fields (element_name, display_name, maintainer, etc.)
when saving from the simplified UI
- Remove unused updateserver_model import from metadata handler
- /settings/metadata: project identity + custom fields
- /settings/updateserver: enable, platform, visibility, gating, keys
- Update server nav link shown when LicensingEnabled
- Old /settings/licensing and /settings/manifest redirect
- Merge project identity (manifest), update server config, and custom
fields into single /settings/metadata page
- Three sections: Project Identity, Update Server, Custom Fields
- Old /settings/manifest and /settings/licensing redirect to /metadata
- Single nav link replaces two separate entries