Support setting cookie domain #6288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## master #6288 +/- ##
==========================================
+ Coverage 41.19% 41.19% +<.01%
==========================================
Files 469 469
Lines 63544 63549 +5
==========================================
+ Hits 26176 26179 +3
- Misses 33946 33948 +2
Partials 3422 3422
Continue to review full report at Codecov.
|
GiteaBot
added
the
lgtm/need 2
techknowlogick
requested changes
Mar 9, 2019
| @@ -145,8 +146,9 @@ func NewMacaron() *macaron.Macaron { | |||
| Cookie: setting.CSRFCookieName, | |||
| SetCookie: true, | |||
| Secure: setting.SessionConfig.Secure, | |||
| CookieHttpOnly: true, | |||
There was a problem hiding this comment.
This is an important security measure and shouldn't be set to false. By setting this to false an attacker could gain access to the cookie.
There was a problem hiding this comment.
I am following this article: http://www.redotheweb.com/2015/11/09/api-security.html
You are right in that session cookie must be HTTPOnly to protect against XSS attack. But it is ok to make CSRF cookie readable by JS and usually passed as header or request body in a CORS ajax call.
There was a problem hiding this comment.
I also agree with @techknowlogick that it should be true.
There was a problem hiding this comment.
@lunny, please take a look at https://medium.com/@iaincollins/csrf-tokens-via-ajax-a885c7305d4a . When we are using Vue (ajax), we need to read the csrf from JS to pass it to api calls. There is no benefit to making csrf cookie HTTPOnly. Frameworks like Django / Laravel make csrf token not HTTPOnly.
It’s important to note you should use HTTP Only cookies for your session tokens (which is best practice and provides protection against XSS attacks). However, CSRF tokens do not need to be stored in cookies — but they can be and unlike session tokens they do not need to be HTTP Only cookies.
There was a problem hiding this comment.
My understanding is that the content from the meta tag (<meta name="_csrf" content=) is what is needed for JS to pass it to API calls using the X-Csrf-Token header.
There was a problem hiding this comment.
@techknowlogick , it seems that both techniques are used. See here for Laravel https://laravel.com/docs/5.8/csrf .
In terms of security, the goal of HTTPOnly cookie is to ensure that JS can't read that. But if that same value is set on meta tag, that JS can easily read it. So, by making this cookie HTTPonly, we are not achieving anything more security wise.
In our case, _meta tag does not work, because we want to access the csrf token from a Vue / SPA app that is running on a subdomain. That Vue app is purely SPA and does not connect with the same gitea backend. So, we can't set the meta tag. But the cookie technique works well for us. The csrf cookie is set on the .domain.com, so my SPA running on subdom.domain.com can read and pass on that to ajax request as header.
There was a problem hiding this comment.
The API should be used in this case, however I can see that you do have a use case for the way you are proposing, and while I feel it would be less secure perhaps we could reach a compromise. Just like your other PR with CORS, perhaps similar to that we make this customizable where HTTPOnly setting (default to true) could be configured along side with the domain for the cookie.
There was a problem hiding this comment.
I can make it configurable. That works for us. Should I call it setting.CSRFCookieHttpOnly ?
There was a problem hiding this comment.
I have added a setting under security.CSRF_COOKIE_HTTP_ONLY. PTAL.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
|
@techknowlogick / @lunny, I wonder if you can take a look at this pr. |
|
@tamalsaha will review this on weekend. |
lunny
added
the
issue/confirmed
|
@lunny , ping 🙏 ? |
lunny
requested changes
Jun 27, 2019
routers/user/auth.go
Outdated
| @@ -20,7 +20,6 @@ import ( | |||
| "code.gitea.io/gitea/modules/recaptcha" | |||
| "code.gitea.io/gitea/modules/setting" | |||
| "code.gitea.io/gitea/modules/util" | |||
|
|
|||
| @@ -145,8 +146,9 @@ func NewMacaron() *macaron.Macaron { | |||
| Cookie: setting.CSRFCookieName, | |||
| SetCookie: true, | |||
| Secure: setting.SessionConfig.Secure, | |||
| CookieHttpOnly: true, | |||
There was a problem hiding this comment.
I also agree with @techknowlogick that it should be true.
|
@techknowlogick / @lunny , if everything looks good, please give it a lgtm ? :) |
Signed-off-by: Tamal Saha <tamal@appscode.com>
techknowlogick
approved these changes
Jul 12, 2019
GiteaBot
added
lgtm/need 1
lunny
approved these changes
Jul 12, 2019
GiteaBot
added
lgtm/done
|
Make LGTM work |
jeffliu27
pushed a commit
to jeffliu27/gitea
that referenced
this pull request
Jul 18, 2019
Signed-off-by: Tamal Saha <tamal@appscode.com>
aswild
added a commit
to aswild/gitea
that referenced
this pull request
Oct 17, 2019
* BREAKING * Remove legacy handling of drone token (go-gitea#8191) * Change repo search to use exact match for topic search. (go-gitea#7941) * Add pagination for admin api get orgs and fix only list public orgs bug (go-gitea#7742) * Implement the ability to change the ssh port to match what is in the gitea config (go-gitea#7286) * FEATURE * Org/Members: display 2FA members states + optimize sql requests (go-gitea#7621) * SetDefaultBranch on pushing to empty repository (go-gitea#7610) * Adds side-by-side diff for images (go-gitea#6784) * API method to list all commits of a repository (go-gitea#6408) * Password Complexity Checks (go-gitea#6230) * Add option to initialize repository with labels (go-gitea#6061) * Add additional password hash algorithms (go-gitea#6023) * BUGFIXES * Fix errors in create org UI regarding team access permission (go-gitea#8506) * Fix bug on FindExternalUsersByProvider (go-gitea#8504) * Create .ssh dir as necessary (go-gitea#8486) * IsBranchExist: return false if provided name is empty (go-gitea#8485) * Making openssh listen on SSH_LISTEN_PORT not SSH_PORT (go-gitea#8477) * Add check for empty set when dropping indexes during migration (go-gitea#8471) * LFS files are relative to LFS content path, ensure that when deleting they are made relative to this (go-gitea#8455) * Ensure Request Body Readers are closed in LFS server (go-gitea#8454) * Fix template bug on mirror repository setting page (go-gitea#8438) * Fix migration v96 to keep issue attachments (go-gitea#8435) * Update strk.kbt.io/projects/go/libravatar to latest (go-gitea#8429) * Singular form for files that has only one line (go-gitea#8416) * Check for either escaped or unescaped wiki filenames (go-gitea#8408) * Allow users with explicit read access to give approvals (go-gitea#8382) * Fix editor commit to new branch if PR disabled (go-gitea#8375) * readd .markdown class to all markup renderers (go-gitea#8357) * Upgrade xorm to v0.7.9 to fix some bugs (go-gitea#8354) * Fix column name ambiguity in GetUserIssueStats() (go-gitea#8347) * Change general form binding to gogs form (go-gitea#8334) * Fix pull request commit status in user dashboard list (go-gitea#8321) * Fix repo_admin_change_team_access always checked in org settings (go-gitea#8319) * Update to github.com/lafriks/xormstore@v1.3.0 (go-gitea#8317) * Show correct commit status in PR list (go-gitea#8316) * Bugfix for image compare and minor improvements to image compare (go-gitea#8289) * Update xorm (go-gitea#8286) * Fix API for edit and delete release attachment (go-gitea#8285) * Fix nil object access in some conditions when parsing cross references (go-gitea#8281) * Fix label count (go-gitea#8267) * Only show teams access for organization repositories on collaboration setting page (go-gitea#8265) * Test more reserved usernames (go-gitea#8263) * Rewrite reference processing code in preparation for opening/closing from comment references (go-gitea#8261) * Fix assets key on release webhook (go-gitea#8253) * Allow registration when button is hidden (go-gitea#8237) * Fix release API URL generation (go-gitea#8234) * Fix milestone num_issues (go-gitea#8221) * MS Teams webhook misses commit messages (go-gitea#8209) * Fix data race (go-gitea#8204) * Fix team user api (go-gitea#8172) * Fix pull merge 500 error caused by git-fetch breaking behaviors (go-gitea#8161) * Make show private icon when repo avatar set (go-gitea#8144) * Add reviewers as participants (go-gitea#8121) * Fix Go 1.13 private repository go get issue (go-gitea#8112) * feat: highlight issue references with : (go-gitea#8101) * Make AllowedUsers configurable in sshd_config (go-gitea#8094) * Strict name matching for Repository.GetTagID() (go-gitea#8074) * Avoid ambiguity of branch/directory names for the git-diff-tree command (go-gitea#8066) * Add change title notification for issues (go-gitea#8061) * [ssh] fix the config specification in the authorized_keys template (go-gitea#8031) * Fix reading git notes from nested trees (go-gitea#8026) * Fixes synchronize tags to releases for repository - makes sure we are only getting tag refs (go-gitea#7990) * Fix adding default Telegram webhook (go-gitea#7972) * Run CORS handler first for /api routes (go-gitea#7967) * Abort synchronization from LDAP source if there is some error. (go-gitea#7960) * Fix wrong sender when send slack webhook (go-gitea#7918) * Fix bug when migrating a private repository (go-gitea#7917) * Evaluate emojis in commit messages in list view (go-gitea#7906) * Fix upload file type check (go-gitea#7890) * lfs/lock: round locked_at timestamp to second (go-gitea#7872) * fix non existent milestone with 500 error instead of 404 (go-gitea#7867) * gpg/bugfix: Use .ExpiredUnix.IsZero to display green color of forever valid gpg key (go-gitea#7846) * Fix duplicate call of webhook (go-gitea#7821) * Enable switching to a different source branch when PR already exists (go-gitea#7819) * Convert files to utf-8 for indexing (go-gitea#7814) * Do not fetch all refs in pull-request compare (go-gitea#7797) * Fix multiple bugs with statuses endpoints at API (go-gitea#7785) * Restore functionality for early gits (go-gitea#7775) * Fix Slack webhook fork message (go-gitea#7774) * Rewrite existing repo units if setting is not included in api body (go-gitea#7763) * Fix rename failed when rewrite public keys (go-gitea#7761) * Fix approvals counting (go-gitea#7757) * Add migration step to remove old repo_indexer_status orphaned records (go-gitea#7746) * Fix repo_index_status lingering when deleting a repository (go-gitea#7734) * Remove camel case tokenization from repo indexer (go-gitea#7733) * Fix milestone completness calculation when migrating (go-gitea#7725) * Regression: Include "executable" files in the index, as they are not necessarily … (go-gitea#7718) * Fixes indexed repos keeping outdated indexes when files grow too large (go-gitea#7712) * Skip non-regular files (e.g. submodules) on repo indexing (go-gitea#7711) * Fix dropTableColumns sqlite implementation (go-gitea#7710) * Update gopkg.in/src-d/go-git.v4 to v4.13.1 (go-gitea#7705) * improve branches list performance and fix protected branch icon when no-login (go-gitea#7695) * Correct wrong datetime format for git (go-gitea#7689) * Move add to hook queue for created repo to outside xorm session. (go-gitea#7675) * sugestion to use range .Branches (go-gitea#7674) * Fix bug on migrating milestone from github (go-gitea#7665) * hide delete/restore button on archived repos (go-gitea#7658) * css: use flex to fix floating paginate (go-gitea#7656) * Fix syntax highlight initialization (go-gitea#7617) * Fix panic on push at - Merging pull request causes 500 error (go-gitea#7615) * Make PKCS8, PEM and SSH2 keys work (go-gitea#7600) * Fix mistake in arc-green.less split-diff css code. (go-gitea#7587) * Handle ErrUserProhibitLogin in http git (go-gitea#7586) * Fix bug create/edit wiki pages when code master branch protected (go-gitea#7580) * Fixes Malformed URLs in API git/commits response (go-gitea#7565) * Fix file header overflow in file and blame views (go-gitea#7562) * Improve SSH key parser to handle newlines in keys (go-gitea#7522) * Fix empty commits now showing in repo overview (go-gitea#7521) * Fix repository's pull request count error (go-gitea#7518) * Fix markdown invoke sequence (go-gitea#7513) * Remove duplicated webhook trigger (go-gitea#7511) * Update User.NumRepos atomically in createRepository (go-gitea#7493) * Fix settings page of repo you aren't admin print error - Settings pages giving UnitType error message (go-gitea#7482) * Fix redirection after file edit - Handles all redirects for Web UI File CRUD (go-gitea#7478) * cmd/serv: actually exit after fatal errors (go-gitea#7458) * Fix an issue with some pages throwing 'not defined' js exceptions (go-gitea#7450) * fix Dropzone.js integration (go-gitea#7445) * Fix regex for issues in commit messages (go-gitea#7444) * Diff: Fix indentation on unhighlighted code (go-gitea#7435) * Only show "New Pull Request" button if repo allows pulls (go-gitea#7426) * Upgrade macaron/captcha to fix random error problem (go-gitea#7407) * create class for inline positioned lists (go-gitea#7393) * Fetch refs for successful testing for tag (go-gitea#7388) * add missing template variable on organisation settings (go-gitea#7385) * fix post parameter - on issue list - unset assignee (go-gitea#7380) * fix/define autochecked checkboxes on issue list in firefox (go-gitea#7320) * only return head: null if source branch was deleted (go-gitea#6705) * ENHANCEMENT * Add nofollow to sign in links (go-gitea#8509) * vendor: update mvdan.cc/xurls/v2 to v2.1.0 (go-gitea#8495) * Update milestone issues numbers when save milestone and other code improvements (go-gitea#8411) * Add extra user information when migrating release (go-gitea#8331) * Require overall success if no context is given for status check (go-gitea#8318) * Transaction-aware retry create issue to cope with duplicate keys (go-gitea#8307) * Change link on issue milestone (go-gitea#8246) * Alwaywas return local url for users avatar (go-gitea#8245) * Move some milestone functions to a standalone package (go-gitea#8213) * Move create issue comment to comments package (go-gitea#8212) * Disable max height property of comment textarea (go-gitea#8203) * Add 'Mentioning you' group to /issues page (go-gitea#8201) * oauth2 with remote Gitea (go-gitea#8149) * Reference issues from pull requests and other issues (go-gitea#8137) * Fix webhooks to use proxy from environment (go-gitea#8116) * Add merged commit id on pull view when it's merged (go-gitea#8062) * Add teams to repo on collaboration page. (go-gitea#8045) * Update swagger to 0.20.1 (go-gitea#8010) * Make link last commit massages in repository home page and commit tables (go-gitea#8006) * Add API endpoint for accessing repo topics (go-gitea#7963) * Include description in repository search (go-gitea#7942) * Use gitea forked macaron (go-gitea#7933) * Fix pull creation with empty changes (go-gitea#7920) * Allow token as authorization for accessing attachments (go-gitea#7909) * Retry create issue to cope with duplicate keys (go-gitea#7898) * Move git diff codes from models to services/gitdiff (go-gitea#7889) * migrate gplus to google oauth2 provider (go-gitea#7885) * Remove unique filter from repo indexer analyzer. (go-gitea#7878) * Detect delimiter in CSV rendering (go-gitea#7869) * Import topics during migration (go-gitea#7851) * Move CreateReview to modules/pull (go-gitea#7841) * vendor: update pdf.js to v2.1.266 (go-gitea#7834) * Support SSH_LISTEN_PORT env var in docker app.ini template (go-gitea#7829) * Add Ability for User to Customize Email Notification Frequency (go-gitea#7813) * Move database settings from models to setting (go-gitea#7806) * Display ui time with customize time location (go-gitea#7792) * Implement webhook branch filter (go-gitea#7791) * Restrict repository indexing by glob match (go-gitea#7767) * Api: advanced settings for repository (external wiki, issue tracker etc.) (go-gitea#7756) * Update migrated repositories' issues/comments/prs poster id if user has a github external user saved (go-gitea#7751) * deps: Upgrade gopkg.in/editorconfig/editorconfig-core-go.v1 (go-gitea#7749) * Apply emoji on commit graph page (go-gitea#7743) * Add a lot of extension to language mappings for syntax highlights (go-gitea#7741) * Add SQL execution on log and indexes on table repository and comment (go-gitea#7740) * Set DB connection error level to error (go-gitea#7724) * Check commit message hashes before making links (go-gitea#7713) * remove unnecessary fmt on generate bindata (go-gitea#7706) * Fix specific highlighting (CMakeLists.txt ...) (go-gitea#7686) * Add file status on API (go-gitea#7671) * Add support for DEFAULT_ORG_MEMBER_VISIBLE (go-gitea#7669) * Provide links in commit summaries in commits table/view list (go-gitea#7659) * Change length of some repository's columns (go-gitea#7652) * Move commit repo action from models to repofiles package (go-gitea#7645) * fix wrong email when use gitea as OAuth2 provider (go-gitea#7640) * [Branch View] add download button (go-gitea#7604) * Update to xorm@v0.7.4 (go-gitea#7596) * use 403 instead of 401 for ErrUserProhibitLogin (go-gitea#7591) * Removed unnecessary conversions (go-gitea#7557) * Un-lambda base.FileSize (go-gitea#7556) * Added missing error checks in tests (go-gitea#7554) * Move create release from models to a standalone package (go-gitea#7539) * Make default branch name link to default branch (go-gitea#7519) * Added total count of contributions to heatmap (go-gitea#7517) * Move mirror to a standalone package from models (go-gitea#7486) * Move models.PushUpdate to repofiles.PushUpdate (go-gitea#7485) * Include thread related headers in issue/coment mail (go-gitea#7484) * Refuse merge until all required status checks success (go-gitea#7481) * convert all js var to let/const (go-gitea#7464) * Only create branches for opened pull requestes when migrating from github (go-gitea#7463) * jQuery 3 (go-gitea#7425) * Add notification placeholder (go-gitea#7409) * Search Commits via Commit Hash (go-gitea#7400) * Move status table to cron package (go-gitea#7370) * wiki - page revisions list (go-gitea#7369) * Display original author and URL information when showing migrated issues/comments (go-gitea#7352) * Refactor filetype is not allowed errors (go-gitea#7309) * switch to use gliderlabs/ssh for builtin server (go-gitea#7250) * Remove settting dependency on modules/session (go-gitea#7237) * Move all mail related codes from models to services/mailer (go-gitea#7200) * Support git.PATH entry in app.ini (go-gitea#6772) * Support setting cookie domain (go-gitea#6288) * Move migrating repository from frontend to backend (go-gitea#6200) * Delete releases attachments if release is deleted (go-gitea#6068) * SECURITY * Ignore mentions for users with no access (go-gitea#8395) * Be more strict with git arguments (go-gitea#7715) * reserve .well-known username (go-gitea#7637) * TRANSLATION * Latvian translation for home page (go-gitea#8468) * Add home template italian translation (go-gitea#8352) * fix misprint (go-gitea#7452) * BUILD * use go 1.13 (go-gitea#8088) * MISC * add file line count info on UI (go-gitea#8396) * Make issues page left menu 100% width and add reponame as title attribute (go-gitea#8359) * [arc-green] white on hover for active menu items (go-gitea#8344) * Move ref (branch or tag) location on issue list page (go-gitea#8157) * apply emoji on dashboard issue list labels (go-gitea#8156) * 1148: Take up the full width when viewing the diff in split view. (go-gitea#8114) * Display description of 'make this repo private' as help text, not as tooltip (go-gitea#8097) * Fixes deformed emoji in pull request reviews (go-gitea#8047) * Add strike to old header on comment (go-gitea#8046) * Add tooltip for the visibility checkbox in /repo/create (go-gitea#8025) * Update github.com/lafriks/xormstore and tidy up mod.go (go-gitea#8020) * keep blame view buttons sequence consistent with normal view when view a file (go-gitea#8007) * Use "Pull Request" instead of "Merge Request" (go-gitea#8003) * Move line number to :before attr to hide from search on browser (go-gitea#8002) * Changed black color to white for (read) number label on issue list page (go-gitea#8000) * [Branch View] show "New Pull Request" Button only if posible (go-gitea#7977) * Fix hook problem by only setting the git environment variables if we are passed them (go-gitea#7854) * Prevent Commit Status and Message From Overflowing On Branch Page (go-gitea#7800) * Fix global search result CSS, misc CSS tweaks (go-gitea#7789) * Tweak label border CSS (go-gitea#7739) * Fix create menu item widths (go-gitea#7708) * Extract the username and password from the mirror url (go-gitea#7651) * [Branch View] Delete duplicate protection symbol (go-gitea#7624) * [Branch View] Delete Table Header (go-gitea#7622) * [Branch View] icons to buttons (go-gitea#7602) * update js dependencies (go-gitea#7462) * Add Extra Info to Branches Page (go-gitea#7461) * Bump lodash from 4.17.11 to 4.17.14 (go-gitea#7459) * wiki history improvements (go-gitea#7391) * ui fixes - compare view and archieved repo issues (go-gitea#7345) * dark theme scrollbars (go-gitea#7269) * wiki - editor - add buttons 'inline code', 'empty checkbox', 'checked checkbox' (go-gitea#7243) * Fix Statuses API only shows first 10 statuses: Add paging and extend API GetCommitStatuses (go-gitea#7141)
aswild
added a commit
to aswild/gitea
that referenced
this pull request
Nov 14, 2019
* BREAKING * Fix deadline on update issue or PR via API (go-gitea#8698) * Hide some user information via API if user doesn't have enough permission (go-gitea#8655) (go-gitea#8657) * Remove legacy handling of drone token (go-gitea#8191) * Change repo search to use exact match for topic search. (go-gitea#7941) * Add pagination for admin api get orgs and fix only list public orgs bug (go-gitea#7742) * Implement the ability to change the ssh port to match what is in the gitea config (go-gitea#7286) * SECURITY * Ignore mentions for users with no access (go-gitea#8395) * Be more strict with git arguments (go-gitea#7715) * reserve .well-known username (go-gitea#7637) * FEATURE * Org/Members: display 2FA members states + optimize sql requests (go-gitea#7621) * SetDefaultBranch on pushing to empty repository (go-gitea#7610) * Adds side-by-side diff for images (go-gitea#6784) * API method to list all commits of a repository (go-gitea#6408) * Password Complexity Checks (go-gitea#6230) * Add option to initialize repository with labels (go-gitea#6061) * Add additional password hash algorithms (go-gitea#6023) * BUGFIXES * Allow to merge if file path contains " or \ (go-gitea#8629) (go-gitea#8771) * On windows set core.longpaths true (go-gitea#8776) (go-gitea#8786) * Fix 500 when edit hook (go-gitea#8782) (go-gitea#8789) * Fix Checkbox at RepoSettings Protected Branch (go-gitea#8799) (go-gitea#8801) * Fix SSH2 conditional in key parsing code (go-gitea#8806) (go-gitea#8810) * Fix commit expand button to not go to commit link (go-gitea#8745) (go-gitea#8825) * Fix new user form for non-local users (go-gitea#8826) (go-gitea#8828) * Fix to close opened io resources as soon as not needed (go-gitea#8839) (go-gitea#8846) * Fix edit content button on migrated issue content (go-gitea#8877) (go-gitea#8884) * Fix require external registration password (go-gitea#8885) (go-gitea#8890) * Fix password complexity check on registration (go-gitea#8887) (go-gitea#8888) * Update Github Migration Tests (go-gitea#8896) (go-gitea#8938) (go-gitea#8945) * Fix issue with user.fullname (go-gitea#8903) * Enable punctuations ending mentions (go-gitea#8889) (go-gitea#8894) * Add Close() method to gogitRepository (go-gitea#8901) (go-gitea#8956) * Hotfix for review actions and notifications (go-gitea#8965) * Expose db.SetMaxOpenConns and allow non MySQL dbs to set conn pool params (go-gitea#8528) (go-gitea#8618) * Fix milestone close timestamp (go-gitea#8728) (go-gitea#8730) * Fix 500 when getting user as unauthenticated user (go-gitea#8653) (go-gitea#8663) * Fix 'New Issue Missing Milestone Comment' (go-gitea#8678) (go-gitea#8681) * Use AppSubUrl for more redirections (go-gitea#8647) (go-gitea#8651) * Add SubURL to redirect path (go-gitea#8632) (go-gitea#8634) * Fix template error on account page (go-gitea#8562) (go-gitea#8622) * Allow externalID to be UUID (go-gitea#8551) (go-gitea#8624) * Prevent removal of non-empty emoji panel following selection of duplicate (go-gitea#8609) (go-gitea#8623) * Update heatmap fixtures to restore tests (go-gitea#8615) (go-gitea#8616) * Ensure that diff stats can scroll independently of the diff (go-gitea#8581) (go-gitea#8621) * Webhook: set Content-Type for application/x-www-form-urlencoded (go-gitea#8600) * Fix go-gitea#8582 by handling empty repos (go-gitea#8587) (go-gitea#8594) * Fix bug on pull requests when transfer head repository (go-gitea#8564) (go-gitea#8569) * Add missed close in ServeBlobLFS (go-gitea#8527) (go-gitea#8542) * Ensure that GitRepo is set on Empty repositories (go-gitea#8539) (go-gitea#8541) * Fix migrate mirror 500 bug (go-gitea#8526) (go-gitea#8530) * Fix password complexity regex for special characters (go-gitea#8524) * Prevent .code-view from overriding font on icon fonts (go-gitea#8614) (go-gitea#8627) * Allow more than 255 characters for tokens in external_login_user table (go-gitea#8554) * Fix errors in create org UI regarding team access permission (go-gitea#8506) * Fix bug on FindExternalUsersByProvider (go-gitea#8504) * Create .ssh dir as necessary (go-gitea#8486) * IsBranchExist: return false if provided name is empty (go-gitea#8485) * Making openssh listen on SSH_LISTEN_PORT not SSH_PORT (go-gitea#8477) * Add check for empty set when dropping indexes during migration (go-gitea#8471) * LFS files are relative to LFS content path, ensure that when deleting they are made relative to this (go-gitea#8455) * Ensure Request Body Readers are closed in LFS server (go-gitea#8454) * Fix template bug on mirror repository setting page (go-gitea#8438) * Fix migration v96 to keep issue attachments (go-gitea#8435) * Update strk.kbt.io/projects/go/libravatar to latest (go-gitea#8429) * Singular form for files that has only one line (go-gitea#8416) * Check for either escaped or unescaped wiki filenames (go-gitea#8408) * Allow users with explicit read access to give approvals (go-gitea#8382) * Fix editor commit to new branch if PR disabled (go-gitea#8375) * readd .markdown class to all markup renderers (go-gitea#8357) * Upgrade xorm to v0.7.9 to fix some bugs (go-gitea#8354) * Fix column name ambiguity in GetUserIssueStats() (go-gitea#8347) * Change general form binding to gogs form (go-gitea#8334) * Fix pull request commit status in user dashboard list (go-gitea#8321) * Fix repo_admin_change_team_access always checked in org settings (go-gitea#8319) * Update to github.com/lafriks/xormstore@v1.3.0 (go-gitea#8317) * Show correct commit status in PR list (go-gitea#8316) * Bugfix for image compare and minor improvements to image compare (go-gitea#8289) * Update xorm (go-gitea#8286) * Fix API for edit and delete release attachment (go-gitea#8285) * Fix nil object access in some conditions when parsing cross references (go-gitea#8281) * Fix label count (go-gitea#8267) * Only show teams access for organization repositories on collaboration setting page (go-gitea#8265) * Test more reserved usernames (go-gitea#8263) * Rewrite reference processing code in preparation for opening/closing from comment references (go-gitea#8261) * Fix assets key on release webhook (go-gitea#8253) * Allow registration when button is hidden (go-gitea#8237) * Fix release API URL generation (go-gitea#8234) * Fix milestone num_issues (go-gitea#8221) * MS Teams webhook misses commit messages (go-gitea#8209) * Fix data race (go-gitea#8204) * Fix team user api (go-gitea#8172) * Fix pull merge 500 error caused by git-fetch breaking behaviors (go-gitea#8161) * Make show private icon when repo avatar set (go-gitea#8144) * Add reviewers as participants (go-gitea#8121) * Fix Go 1.13 private repository go get issue (go-gitea#8112) * feat: highlight issue references with : (go-gitea#8101) * Make AllowedUsers configurable in sshd_config (go-gitea#8094) * Strict name matching for Repository.GetTagID() (go-gitea#8074) * Avoid ambiguity of branch/directory names for the git-diff-tree command (go-gitea#8066) * Add change title notification for issues (go-gitea#8061) * [ssh] fix the config specification in the authorized_keys template (go-gitea#8031) * Fix reading git notes from nested trees (go-gitea#8026) * Fixes synchronize tags to releases for repository - makes sure we are only getting tag refs (go-gitea#7990) * Fix adding default Telegram webhook (go-gitea#7972) * Run CORS handler first for /api routes (go-gitea#7967) * Abort synchronization from LDAP source if there is some error. (go-gitea#7960) * Fix wrong sender when send slack webhook (go-gitea#7918) * Fix bug when migrating a private repository (go-gitea#7917) * Evaluate emojis in commit messages in list view (go-gitea#7906) * Fix upload file type check (go-gitea#7890) * lfs/lock: round locked_at timestamp to second (go-gitea#7872) * fix non existent milestone with 500 error instead of 404 (go-gitea#7867) * gpg/bugfix: Use .ExpiredUnix.IsZero to display green color of forever valid gpg key (go-gitea#7846) * Fix duplicate call of webhook (go-gitea#7821) * Enable switching to a different source branch when PR already exists (go-gitea#7819) * Convert files to utf-8 for indexing (go-gitea#7814) * Do not fetch all refs in pull-request compare (go-gitea#7797) * Fix multiple bugs with statuses endpoints at API (go-gitea#7785) * Restore functionality for early gits (go-gitea#7775) * Fix Slack webhook fork message (go-gitea#7774) * Rewrite existing repo units if setting is not included in api body (go-gitea#7763) * Fix rename failed when rewrite public keys (go-gitea#7761) * Fix approvals counting (go-gitea#7757) * Add migration step to remove old repo_indexer_status orphaned records (go-gitea#7746) * Fix repo_index_status lingering when deleting a repository (go-gitea#7734) * Remove camel case tokenization from repo indexer (go-gitea#7733) * Fix milestone completness calculation when migrating (go-gitea#7725) * Regression: Include "executable" files in the index, as they are not necessarily … (go-gitea#7718) * Fixes indexed repos keeping outdated indexes when files grow too large (go-gitea#7712) * Skip non-regular files (e.g. submodules) on repo indexing (go-gitea#7711) * Fix dropTableColumns sqlite implementation (go-gitea#7710) * Update gopkg.in/src-d/go-git.v4 to v4.13.1 (go-gitea#7705) * improve branches list performance and fix protected branch icon when no-login (go-gitea#7695) * Correct wrong datetime format for git (go-gitea#7689) * Move add to hook queue for created repo to outside xorm session. (go-gitea#7675) * sugestion to use range .Branches (go-gitea#7674) * Fix bug on migrating milestone from github (go-gitea#7665) * hide delete/restore button on archived repos (go-gitea#7658) * css: use flex to fix floating paginate (go-gitea#7656) * Fix syntax highlight initialization (go-gitea#7617) * Fix panic on push at - Merging pull request causes 500 error (go-gitea#7615) * Make PKCS8, PEM and SSH2 keys work (go-gitea#7600) * Fix mistake in arc-green.less split-diff css code. (go-gitea#7587) * Handle ErrUserProhibitLogin in http git (go-gitea#7586) * Fix bug create/edit wiki pages when code master branch protected (go-gitea#7580) * Fixes Malformed URLs in API git/commits response (go-gitea#7565) * Fix file header overflow in file and blame views (go-gitea#7562) * Improve SSH key parser to handle newlines in keys (go-gitea#7522) * Fix empty commits now showing in repo overview (go-gitea#7521) * Fix repository's pull request count error (go-gitea#7518) * Fix markdown invoke sequence (go-gitea#7513) * Remove duplicated webhook trigger (go-gitea#7511) * Update User.NumRepos atomically in createRepository (go-gitea#7493) * Fix settings page of repo you aren't admin print error - Settings pages giving UnitType error message (go-gitea#7482) * Fix redirection after file edit - Handles all redirects for Web UI File CRUD (go-gitea#7478) * cmd/serv: actually exit after fatal errors (go-gitea#7458) * Fix an issue with some pages throwing 'not defined' js exceptions (go-gitea#7450) * fix Dropzone.js integration (go-gitea#7445) * Fix regex for issues in commit messages (go-gitea#7444) * Diff: Fix indentation on unhighlighted code (go-gitea#7435) * Only show "New Pull Request" button if repo allows pulls (go-gitea#7426) * Upgrade macaron/captcha to fix random error problem (go-gitea#7407) * create class for inline positioned lists (go-gitea#7393) * Fetch refs for successful testing for tag (go-gitea#7388) * add missing template variable on organisation settings (go-gitea#7385) * fix post parameter - on issue list - unset assignee (go-gitea#7380) * fix/define autochecked checkboxes on issue list in firefox (go-gitea#7320) * only return head: null if source branch was deleted (go-gitea#6705) * ENHANCEMENT * Add nofollow to sign in links (go-gitea#8509) * vendor: update mvdan.cc/xurls/v2 to v2.1.0 (go-gitea#8495) * Update milestone issues numbers when save milestone and other code improvements (go-gitea#8411) * Add extra user information when migrating release (go-gitea#8331) * Require overall success if no context is given for status check (go-gitea#8318) * Transaction-aware retry create issue to cope with duplicate keys (go-gitea#8307) * Change link on issue milestone (go-gitea#8246) * Alwaywas return local url for users avatar (go-gitea#8245) * Move some milestone functions to a standalone package (go-gitea#8213) * Move create issue comment to comments package (go-gitea#8212) * Disable max height property of comment textarea (go-gitea#8203) * Add 'Mentioning you' group to /issues page (go-gitea#8201) * oauth2 with remote Gitea (go-gitea#8149) * Reference issues from pull requests and other issues (go-gitea#8137) * Fix webhooks to use proxy from environment (go-gitea#8116) * Add merged commit id on pull view when it's merged (go-gitea#8062) * Add teams to repo on collaboration page. (go-gitea#8045) * Update swagger to 0.20.1 (go-gitea#8010) * Make link last commit massages in repository home page and commit tables (go-gitea#8006) * Add API endpoint for accessing repo topics (go-gitea#7963) * Include description in repository search (go-gitea#7942) * Use gitea forked macaron (go-gitea#7933) * Fix pull creation with empty changes (go-gitea#7920) * Allow token as authorization for accessing attachments (go-gitea#7909) * Retry create issue to cope with duplicate keys (go-gitea#7898) * Move git diff codes from models to services/gitdiff (go-gitea#7889) * migrate gplus to google oauth2 provider (go-gitea#7885) * Remove unique filter from repo indexer analyzer. (go-gitea#7878) * Detect delimiter in CSV rendering (go-gitea#7869) * Import topics during migration (go-gitea#7851) * Move CreateReview to modules/pull (go-gitea#7841) * vendor: update pdf.js to v2.1.266 (go-gitea#7834) * Support SSH_LISTEN_PORT env var in docker app.ini template (go-gitea#7829) * Add Ability for User to Customize Email Notification Frequency (go-gitea#7813) * Move database settings from models to setting (go-gitea#7806) * Display ui time with customize time location (go-gitea#7792) * Implement webhook branch filter (go-gitea#7791) * Restrict repository indexing by glob match (go-gitea#7767) * Api: advanced settings for repository (external wiki, issue tracker etc.) (go-gitea#7756) * Update migrated repositories' issues/comments/prs poster id if user has a github external user saved (go-gitea#7751) * deps: Upgrade gopkg.in/editorconfig/editorconfig-core-go.v1 (go-gitea#7749) * Apply emoji on commit graph page (go-gitea#7743) * Add a lot of extension to language mappings for syntax highlights (go-gitea#7741) * Add SQL execution on log and indexes on table repository and comment (go-gitea#7740) * Set DB connection error level to error (go-gitea#7724) * Check commit message hashes before making links (go-gitea#7713) * remove unnecessary fmt on generate bindata (go-gitea#7706) * Fix specific highlighting (CMakeLists.txt ...) (go-gitea#7686) * Add file status on API (go-gitea#7671) * Add support for DEFAULT_ORG_MEMBER_VISIBLE (go-gitea#7669) * Provide links in commit summaries in commits table/view list (go-gitea#7659) * Change length of some repository's columns (go-gitea#7652) * Move commit repo action from models to repofiles package (go-gitea#7645) * fix wrong email when use gitea as OAuth2 provider (go-gitea#7640) * [Branch View] add download button (go-gitea#7604) * Update to xorm@v0.7.4 (go-gitea#7596) * use 403 instead of 401 for ErrUserProhibitLogin (go-gitea#7591) * Removed unnecessary conversions (go-gitea#7557) * Un-lambda base.FileSize (go-gitea#7556) * Added missing error checks in tests (go-gitea#7554) * Move create release from models to a standalone package (go-gitea#7539) * Make default branch name link to default branch (go-gitea#7519) * Added total count of contributions to heatmap (go-gitea#7517) * Move mirror to a standalone package from models (go-gitea#7486) * Move models.PushUpdate to repofiles.PushUpdate (go-gitea#7485) * Include thread related headers in issue/coment mail (go-gitea#7484) * Refuse merge until all required status checks success (go-gitea#7481) * convert all js var to let/const (go-gitea#7464) * Only create branches for opened pull requestes when migrating from github (go-gitea#7463) * jQuery 3 (go-gitea#7425) * Add notification placeholder (go-gitea#7409) * Search Commits via Commit Hash (go-gitea#7400) * Move status table to cron package (go-gitea#7370) * wiki - page revisions list (go-gitea#7369) * Display original author and URL information when showing migrated issues/comments (go-gitea#7352) * Refactor filetype is not allowed errors (go-gitea#7309) * switch to use gliderlabs/ssh for builtin server (go-gitea#7250) * Remove settting dependency on modules/session (go-gitea#7237) * Move all mail related codes from models to services/mailer (go-gitea#7200) * Support git.PATH entry in app.ini (go-gitea#6772) * Support setting cookie domain (go-gitea#6288) * Move migrating repository from frontend to backend (go-gitea#6200) * Delete releases attachments if release is deleted (go-gitea#6068) * TRANSLATION * Latvian translation for home page (go-gitea#8468) * Add home template italian translation (go-gitea#8352) * fix misprint (go-gitea#7452) * BUILD * use go 1.13 (go-gitea#8088) * MISC * add file line count info on UI (go-gitea#8396) * Make issues page left menu 100% width and add reponame as title attribute (go-gitea#8359) * [arc-green] white on hover for active menu items (go-gitea#8344) * Move ref (branch or tag) location on issue list page (go-gitea#8157) * apply emoji on dashboard issue list labels (go-gitea#8156) * 1148: Take up the full width when viewing the diff in split view. (go-gitea#8114) * Display description of 'make this repo private' as help text, not as tooltip (go-gitea#8097) * Fixes deformed emoji in pull request reviews (go-gitea#8047) * Add strike to old header on comment (go-gitea#8046) * Add tooltip for the visibility checkbox in /repo/create (go-gitea#8025) * Update github.com/lafriks/xormstore and tidy up mod.go (go-gitea#8020) * keep blame view buttons sequence consistent with normal view when view a file (go-gitea#8007) * Use "Pull Request" instead of "Merge Request" (go-gitea#8003) * Move line number to :before attr to hide from search on browser (go-gitea#8002) * Changed black color to white for (read) number label on issue list page (go-gitea#8000) * [Branch View] show "New Pull Request" Button only if posible (go-gitea#7977) * Fix hook problem by only setting the git environment variables if we are passed them (go-gitea#7854) * Prevent Commit Status and Message From Overflowing On Branch Page (go-gitea#7800) * Fix global search result CSS, misc CSS tweaks (go-gitea#7789) * Tweak label border CSS (go-gitea#7739) * Fix create menu item widths (go-gitea#7708) * Extract the username and password from the mirror url (go-gitea#7651) * [Branch View] Delete duplicate protection symbol (go-gitea#7624) * [Branch View] Delete Table Header (go-gitea#7622) * [Branch View] icons to buttons (go-gitea#7602) * update js dependencies (go-gitea#7462) * Add Extra Info to Branches Page (go-gitea#7461) * Bump lodash from 4.17.11 to 4.17.14 (go-gitea#7459) * wiki history improvements (go-gitea#7391) * ui fixes - compare view and archieved repo issues (go-gitea#7345) * dark theme scrollbars (go-gitea#7269) * wiki - editor - add buttons 'inline code', 'empty checkbox', 'checked checkbox' (go-gitea#7243) * Fix Statuses API only shows first 10 statuses: Add paging and extend API GetCommitStatuses (go-gitea#7141)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are building a website where the session cookie is set to
example.comdomain. Later a SPA hosted on asubdomain.example.comwill make api calls toexample.com/api/xyz. In this scenario we want to set the csrf cookie domain to.example.comso that SPA can pass it along the ajax api calls.Thanks.