- Enforce org visibility on organization label read endpoints (private
org labels no longer leak to non-members).
- Block fork sync (`merge-upstream`) when the base repo is no longer
readable (stops pulling commits after a parent goes private).
- Remove `REVERSE_PROXY_LIMIT` / `REVERSE_PROXY_TRUSTED_PROXIES` from
the Docker `app.ini` templates (the `= *` default allowed
`X-WEBAUTH-USER` impersonation; reverse-proxy auth is now opt-in and
admin-configured).
- Enforce single-use TOTP passcodes across web login, password-reset,
and Basic-Auth `X-Gitea-OTP` (fixes a TOCTOU race and a stateless
replay).
- Re-check branch write permission for every ref in a push (the
pre-receive hook cached the first ref's result, letting a per-branch
maintainer-edit grant escalate to full repo write).
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Switch to non-deprecation setting
(Avoid by-default: "Deprecated fallback `[server]` `LFS_CONTENT_PATH` present. Use `[lfs]` `PATH` instead. This fallback will be removed in v1.18.0")
* Update all references
* Add reverse proxy configuration support for remote IP address validation
* Trust all IP addresses in containerized environments by default
* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Change default log configuration
This PR changes the install page and the docker default
logging configuration to match the suggested configuration
that I repeatedly end up suggesting on issues.
It further improves the logging configuration docs to
recommend specific instructions for how to configure logs
for posting to issues.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update docs/content/doc/advanced/logging-documentation.en-us.md
In the /install form, the value for SSH Server Domain is taken form the DOMAIN variable
and overwrites SSH_DOMAIN environment variable set the first time if nothing done
Co-authored-by: Adrian POIGET <adrian.poiget@viveris.fr>
* Repository avatars
- first variant of code from old work for gogs
- add migration 87
- add new option in app.ini
- add en-US locale string
- add new class in repository.less
* Add changed index.css, remove unused template name
* Update en-us doc about configuration options
* Add comments to new functions, add new option to docker app.ini
* Add comment for lint
* Remove variable, not needed
* Fix formatting
* Update swagger api template
* Check if avatar exists
* Fix avatar link/path checks
* Typo
* TEXT column can't have a default value
* Fixes:
- remove old avatar file on upload
- use ID in name of avatar file - users may upload same files
- add simple tests
* Fix fmt check
* Generate PNG instead of "static" GIF
* More informative comment
* Fix error message
* Update avatar upload checks:
- add file size check
- add new option
- update config docs
- add new string to en-us locale
* Fixes:
- use FileHEader field for check file size
- add new test - upload big image
* Fix formatting
* Update comments
* Update log message
* Removed wrong style - not needed
* Use Sync2 to migrate
* Update repos list view
- bigger avatar
- fix html blocks alignment
* A little adjust avatar size
* Use small icons for explore/repo list
* Use new cool avatar preparation func by @lafriks
* Missing changes for new function
* Remove unused import, move imports
* Missed new option definition in app.ini
Add file size check in user/profile avatar upload
* Use smaller field length for Avatar
* Use session to update repo DB data, update DeleteAvatar - use session too
* Fix err variable definition
* As suggested @lafriks - return as soon as possible, code readability
