MokoConsulting/MokoGitea
1
0
Fork 0
Code Issues 104 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

feat(repo): enforce dot-prefixed repos as always-private system repos #77

Merged
jmiller merged 1 commits from feature/system-repo-private into main 2026-05-13 00:16:13 +00:00
Conversation 0 Commits 1 Files Changed 10
+52 -14
jmiller commented 2026-05-13 00:15:51 +00:00
Owner
Copy Link
Copy Source

Summary

  • Repositories with names starting with . are now treated as system repositories that are always private and cannot be made public
  • On creation paths (API, web, migrate, template, push-to-create), privacy is silently forced
  • On edit paths (API edit, web settings, public access settings), a clear error is returned
  • UI disables the "Make Public" button for system repos by setting ForcePrivate in template context

Files Changed (10)

Layer File Behavior
Model models/repo/repo.go IsSystemRepo() � name starts with .
Service services/repository/repository.go MakeRepoPrivate() guard � hard error
API Create routers/api/v1/repo/repo.go Silent force private
API Edit routers/api/v1/repo/repo.go 403 Forbidden
API Migrate routers/api/v1/repo/migrate.go Silent force private
Web Create routers/web/repo/repo.go Silent force private
Web Migrate routers/web/repo/migrate.go Silent force private
Web Settings routers/web/repo/setting/setting.go UI disabled + hard error
Public Access routers/web/repo/setting/public_access.go UI disabled + redirect
Push Hook routers/private/hook_post_receive.go Silent ignore + log warning
Locale options/locale/locale_en-US.json Error message string

Test plan

  • Create a repo named .test-system via API � verify it is created as private
  • Create a repo named .test-system-web via web UI � verify it is created as private
  • Try to edit .test-system visibility to public via API � verify 403 response
  • Try to change visibility to public via web settings � verify error message
  • Verify normal (non-dot) repos are unaffected

?? Generated with Claude Code

## Summary - Repositories with names starting with `.` are now treated as **system repositories** that are always private and cannot be made public - On creation paths (API, web, migrate, template, push-to-create), privacy is silently forced - On edit paths (API edit, web settings, public access settings), a clear error is returned - UI disables the "Make Public" button for system repos by setting `ForcePrivate` in template context ## Files Changed (10) | Layer | File | Behavior | |---|---|---| | Model | `models/repo/repo.go` | `IsSystemRepo()` � name starts with `.` | | Service | `services/repository/repository.go` | `MakeRepoPrivate()` guard � hard error | | API Create | `routers/api/v1/repo/repo.go` | Silent force private | | API Edit | `routers/api/v1/repo/repo.go` | 403 Forbidden | | API Migrate | `routers/api/v1/repo/migrate.go` | Silent force private | | Web Create | `routers/web/repo/repo.go` | Silent force private | | Web Migrate | `routers/web/repo/migrate.go` | Silent force private | | Web Settings | `routers/web/repo/setting/setting.go` | UI disabled + hard error | | Public Access | `routers/web/repo/setting/public_access.go` | UI disabled + redirect | | Push Hook | `routers/private/hook_post_receive.go` | Silent ignore + log warning | | Locale | `options/locale/locale_en-US.json` | Error message string | ## Test plan - [ ] Create a repo named `.test-system` via API � verify it is created as private - [ ] Create a repo named `.test-system-web` via web UI � verify it is created as private - [ ] Try to edit `.test-system` visibility to public via API � verify 403 response - [ ] Try to change visibility to public via web settings � verify error message - [ ] Verify normal (non-dot) repos are unaffected ?? Generated with [Claude Code](https://claude.com/claude-code)
jmiller added 1 commit 2026-05-13 00:15:52 +00:00
feat(repo): enforce dot-prefixed repos as always-private system repos
compliance / files-changed (pull_request) Successful in 2m48s
Details
pr-title / lint-pr-title (pull_request) Successful in 5s
Details
db-tests / files-changed (pull_request) Successful in 2m53s
Details
docker-dryrun / files-changed (pull_request) Successful in 3m7s
Details
e2e-tests / files-changed (pull_request) Successful in 3m8s
Details
compliance / lint-on-demand (pull_request) Successful in 1m23s
Details
compliance / lint-backend (pull_request) Failing after 4m50s
Details
compliance / frontend (pull_request) Has been skipped
Details
compliance / checks-backend (pull_request) Failing after 5m20s
Details
compliance / backend (pull_request) Failing after 4m15s
Details
db-tests / test-pgsql (pull_request) Failing after 4m7s
Details
db-tests / test-sqlite (pull_request) Failing after 4m29s
Details
db-tests / test-unit (pull_request) Failing after 5m53s
Details
db-tests / test-mysql (pull_request) Failing after 5m21s
Details
docker-dryrun / container-amd64 (pull_request) Has been skipped
Details
docker-dryrun / container-arm64 (pull_request) Has been skipped
Details
docker-dryrun / container-riscv64 (pull_request) Has been skipped
Details
db-tests / test-mssql (pull_request) Failing after 6m30s
Details
e2e-tests / test-e2e (pull_request) Failing after 4m53s
Details
compliance / lint-go-gogit (pull_request) Failing after 33m59s
Details
compliance / lint-go-windows (pull_request) Failing after 33m59s
Details
c5eb8df8a2 
Repositories with names starting with "." are now treated as system
repositories that are always private and cannot be made public. This is
enforced at every code path: API create, web create, migrate, template
create, push-to-create, API edit, web settings, and public access
settings. On creation paths, privacy is silently forced. On edit paths,
a clear error is returned.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jmiller merged commit ef6a7dcfcf into main 2026-05-13 00:16:13 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 priority: critical
Must fix immediately
 priority: high
Important, fix soon
 priority: low
Nice to have
 priority: medium
Normal priority
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 status: blocked
Blocked by dependency or decision
 status: in-progress
Actively being worked on
 status: needs-review
Awaiting code review
 status: on-hold
Paused intentionally
 status: wontfix
Will not be addressed
 sync-failure
Sync or mirror failed
 type: bug
Something isn't working
 type: chore
Maintenance, dependencies, cleanup
 type: enhancement
Improvement to existing feature
 type: feature
New functionality
 type: refactor
Code restructuring without behavior change
 type: version
Version bump or release
 work-in-progress
Draft or incomplete work
bug
Something is not working
 chore
Maintenance and housekeeping
 documentation
Documentation improvements
 enhancement
Improvement to existing functionality
 feature
New feature or request
 priority: critical
Must fix immediately
 priority: high
Should fix soon
 priority: low
Nice to have
 priority: medium
Fix when convenient
 refactor
Code restructuring without behavior change
 roadmap
Planned feature or enhancement tracked on the roadmap
 scope: client
Client-specific work
 scope: dolibarr
Dolibarr modules and customizations
 scope: infrastructure
Server, CI, backups, monitoring
 scope: joomla
Joomla templates and extensions
 scope: waas
MokoWaaS platform
 security
Security vulnerability or hardening
 status: blocked
Waiting on external dependency
 status: duplicate
Duplicate of another issue
 status: in-progress
Being worked on
 status: needs-review
Ready for review
 status: wontfix
Will not be addressed
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#77
Delete Branch "feature/system-repo-private"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?