Merge remote-tracking branch 'origin/main' into fix-ssh-server

Author: zeripath

cmd/admin.go

@@ -56,6 +56,7 @@ var (
 			microcmdUserList,
 			microcmdUserChangePassword,
 			microcmdUserDelete,
+			microcmdUserGenerateAccessToken,
 		},
 	}
 
@@ -154,6 +155,27 @@ var (
 		Action: runDeleteUser,
 	}
 
+	microcmdUserGenerateAccessToken = cli.Command{
+		Name:  "generate-access-token",
+		Usage: "Generate a access token for a specific user",
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "username,u",
+				Usage: "Username",
+			},
+			cli.StringFlag{
+				Name:  "token-name,t",
+				Usage: "Token name",
+				Value: "gitea-admin",
+			},
+			cli.BoolFlag{
+				Name:  "raw",
+				Usage: "Display only the token value",
+			},
+		},
+		Action: runGenerateAccessToken,
+	}
+
 	subcmdRepoSyncReleases = cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
@@ -641,6 +663,41 @@ func runDeleteUser(c *cli.Context) error {
 	return user_service.DeleteUser(user)
 }
 
+func runGenerateAccessToken(c *cli.Context) error {
+	if !c.IsSet("username") {
+		return fmt.Errorf("You must provide the username to generate a token for them")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	user, err := user_model.GetUserByName(c.String("username"))
+	if err != nil {
+		return err
+	}
+
+	t := &models.AccessToken{
+		Name: c.String("token-name"),
+		UID:  user.ID,
+	}
+
+	if err := models.NewAccessToken(t); err != nil {
+		return err
+	}
+
+	if c.Bool("raw") {
+		fmt.Printf("%s\n", t.Token)
+	} else {
+		fmt.Printf("Access token was successfully created: %s\n", t.Token)
+	}
+
+	return nil
+}
+
 func runRepoSyncReleases(_ *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()

contrib/init/openwrt/gitea

@@ -0,0 +1,35 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+
+# PROCD_DEBUG=1
+
+START=90
+STOP=10
+
+PROG=/opt/gitea/gitea
+GITEA_WORK_DIR=/opt/gitea
+CONF_FILE=$GITEA_WORK_DIR/app.ini
+
+start_service(){
+    procd_open_instance gitea
+    procd_set_param env GITEA_WORK_DIR=$GITEA_WORK_DIR
+    procd_set_param env HOME=$GITEA_WORK_DIR
+    procd_set_param command $PROG web -c $CONF_FILE
+    procd_set_param file $CONF_FILE
+    procd_set_param user git
+    procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} # respawn automatically if something died, be careful if you have an alternative process supervisor
+    procd_close_instance
+}
+
+start(){
+    service_start $PROG
+}
+
+stop(){
+    service_stop $PROG
+}
+
+reload(){
+    service_reload $PROG
+}

contrib/update_dependencies.sh

@@ -4,5 +4,5 @@ grep 'git' go.mod | grep '\.com' | grep -v indirect | grep -v replace | cut -f 2
   go get -u "$line"
   make vendor
   git add .
-  git commit -S -m "update $line"
+  git commit -m "update $line"
 done

contrib/upgrade.sh

@@ -1,6 +1,4 @@
 #!/usr/bin/env bash
-set -euo pipefail
-
 # This is an update script for gitea installed via the binary distribution
 # from dl.gitea.io on linux as systemd service. It performs a backup and updates
 # Gitea in place.
@@ -13,41 +11,83 @@ set -euo pipefail
 #   upgrade.sh 1.15.10
 #   giteahome=/opt/gitea giteaconf=$giteahome/app.ini upgrade.sh
 
+while true; do
+  case "$1" in
+    -v | --version ) ver="$2"; shift 2 ;;
+    -y | --yes ) no_confirm="yes"; shift ;;
+    --ignore-gpg) ignore_gpg="yes"; shift ;;
+    -- ) shift; break ;;
+    * ) break ;;
+  esac
+done
+
+set -euo pipefail
+
+
+function require {
+  for exe in "$@"; do
+    command -v "$exe" &>/dev/null || (echo "missing dependency '$exe'"; exit 1)
+  done
+}
+
+
+require curl xz sha256sum gpg
+
+if [[ -f /etc/os-release ]]; then
+  os_release=$(cat /etc/os-release)
+
+  if [[ "$os_release" =~ "OpenWrt" ]]; then
+    sudocmd="su"
+    service_start="/etc/init.d/gitea start"
+    service_stop="/etc/init.d/gitea stop"
+    service_status="/etc/init.d/gitea status"
+  else
+    require systemctl
+  fi
+fi
+
+
 # apply variables from environment
 : "${giteabin:="/usr/local/bin/gitea"}"
 : "${giteahome:="/var/lib/gitea"}"
 : "${giteaconf:="/etc/gitea/app.ini"}"
 : "${giteauser:="git"}"
 : "${sudocmd:="sudo"}"
 : "${arch:="linux-amd64"}"
+: "${service_start:="$sudocmd systemctl start gitea"}"
+: "${service_stop:="$sudocmd systemctl stop gitea"}"
+: "${service_status:="$sudocmd systemctl status gitea"}"
 : "${backupopts:=""}" # see `gitea dump --help` for available options
 
-function giteacmd {
-  "$sudocmd" --user "$giteauser" "$giteabin" --config "$giteaconf" --work-path "$giteahome" "$@"
-}
 
-function require {
-  for exe in "$@"; do
-    command -v "$exe" &>/dev/null || (echo "missing dependency '$exe'"; exit 1)
-  done
+function giteacmd {
+  if [[ $sudocmd = "su" ]]; then
+    "$sudocmd" - "$giteauser" -c "$giteabin" --config "$giteaconf" --work-path "$giteahome" "$@"
+  else
+    "$sudocmd" --user "$giteauser" "$giteabin" --config "$giteaconf" --work-path "$giteahome" "$@"
+  fi
 }
-require systemctl curl xz sha256sum gpg "$sudocmd"
 
 # select version to install
-if [[ -z "${1:-}" ]]; then
+if [[ -z "${ver:-}" ]]; then
   require jq
   giteaversion=$(curl --connect-timeout 10 -sL https://dl.gitea.io/gitea/version.json | jq -r .latest.version)
 else
-  giteaversion="$1"
+  giteaversion="$ver"
 fi
 
+
 # confirm update
-current=$(giteacmd --version | cut --delimiter=' ' --fields=3)
+current=$(giteacmd --version | cut -d ' ' -f 3)
 [[ "$current" == "$giteaversion" ]] && echo "$current is already installed, stopping." && exit 1
-echo "Make sure to read the changelog first: https://github.com/go-gitea/gitea/blob/main/CHANGELOG.md"
-echo "Are you ready to update Gitea from ${current} to ${giteaversion}? (y/N)"
-read -r confirm
-[[ "$confirm" == "y" ]] || [[ "$confirm" == "Y" ]] || exit 1
+if [[ -z "${no_confirm:-}"  ]]; then
+  echo "Make sure to read the changelog first: https://github.com/go-gitea/gitea/blob/main/CHANGELOG.md"
+  echo "Are you ready to update Gitea from ${current} to ${giteaversion}? (y/N)"
+  read -r confirm
+  [[ "$confirm" == "y" ]] || [[ "$confirm" == "Y" ]] || exit 1
+fi
+
+echo "Upgrading gitea from $current to $giteaversion ..."
 
 pushd "$(pwd)" &>/dev/null
 cd "$giteahome" # needed for gitea dump later
@@ -59,9 +99,11 @@ echo "Downloading $binurl..."
 curl --connect-timeout 10 --silent --show-error --fail --location -O "$binurl{,.sha256,.asc}"
 
 # validate checksum & gpg signature (exit script if error)
-sha256sum --check "${binname}.xz.sha256"
-gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
-gpg --verify "${binname}.xz.asc" "${binname}.xz" || { echo 'Signature does not match'; exit 1; }
+sha256sum -c "${binname}.xz.sha256"
+if [[ -z "${ignore_gpg:-}" ]]; then
+  gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
+  gpg --verify "${binname}.xz.asc" "${binname}.xz" || { echo 'Signature does not match'; exit 1; }
+fi
 rm "${binname}".xz.{sha256,asc}
 
 # unpack binary + make executable
@@ -72,12 +114,14 @@ chmod +x "$binname"
 # stop gitea, create backup, replace binary, restart gitea
 echo "Stopping gitea at $(date)"
 giteacmd manager flush-queues
-$sudocmd systemctl stop gitea
+$service_stop
 echo "Creating backup in $giteahome"
 giteacmd dump $backupopts
 echo "Updating binary at $giteabin"
-mv --force --backup "$binname" "$giteabin"
-$sudocmd systemctl start gitea
-$sudocmd systemctl status gitea
+cp -f "$giteabin" "$giteabin.bak" && mv -f "$binname" "$giteabin"
+$service_start
+$service_status
+
+echo "Upgrade to $giteaversion successful!"
 
 popd

custom/conf/app.example.ini

@@ -2125,6 +2125,8 @@ PATH =
 ;RENDER_COMMAND = "asciidoc --out-file=- -"
 ;; Don't pass the file on STDIN, pass the filename as argument instead.
 ;IS_INPUT_FILE = false
+; Don't filter html tags and attributes if true
+;DISABLE_SANITIZER = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/config.yaml

@@ -18,7 +18,7 @@ params:
   description: Git with a cup of tea
   author: The Gitea Authors
   website: https://docs.gitea.io
-  version: 1.16.0
+  version: 1.16.3
   minGoVersion: 1.16
   goVersion: 1.17
   minNodeVersion: 12.17

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -1003,13 +1003,13 @@ IS_INPUT_FILE = false
    command. Multiple extensions needs a comma as splitter.
 - RENDER\_COMMAND: External command to render all matching extensions.
 - IS\_INPUT\_FILE: **false** Input is not a standard input but a file param followed `RENDER_COMMAND`.
+- DISABLE_SANITIZER: **false** Don't filter html tags and attributes if true. Don't change this to true except you know what that means.
 
 Two special environment variables are passed to the render command:
 - `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.
 - `GITEA_PREFIX_RAW`, which contains the current URL prefix in the `raw` path tree. To be used as prefix for image paths.
 
-
-Gitea supports customizing the sanitization policy for rendered HTML. The example below will support KaTeX output from pandoc.
+If `DISABLE_SANITIZER` is false, Gitea supports customizing the sanitization policy for rendered HTML. The example below will support KaTeX output from pandoc.
 
 ```ini
 [markup.sanitizer.TeX]

docs/content/doc/advanced/config-cheat-sheet.zh-cn.md

@@ -318,6 +318,33 @@ IS_INPUT_FILE = false
 - FILE_EXTENSIONS: 关联的文档的扩展名，多个扩展名用都好分隔。
 - RENDER_COMMAND: 工具的命令行命令及参数。
 - IS_INPUT_FILE: 输入方式是最后一个参数为文件路径还是从标准输入读取。
+- DISABLE_SANITIZER: **false** 如果为 true 则不过滤 HTML 标签和属性。除非你知道这意味着什么，否则不要设置为 true。
+
+以下两个环境变量将会被传递给渲染命令：
+
+- `GITEA_PREFIX_SRC`：包含当前的`src`路径的URL前缀，可以被用于链接的前缀。
+- `GITEA_PREFIX_RAW`：包含当前的`raw`路径的URL前缀，可以被用于图片的前缀。
+
+如果 `DISABLE_SANITIZER` 为 false，则 Gitea 支持自定义渲染 HTML 的净化策略。以下例子将用 pandoc 支持 KaTeX 输出。
+
+```ini
+[markup.sanitizer.TeX]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+ALLOW_DATA_URI_IMAGES = true
+```
+
+- `ELEMENT`: 将要被应用到该策略的 HTML 元素，不能为空。
+- `ALLOW_ATTR`: 将要被应用到该策略的属性，不能为空。
+- `REGEXP`: 正则表达式，用来匹配属性的内容。如果为空，则跟属性内容无关。
+- `ALLOW_DATA_URI_IMAGES`: **false** 允许 data uri 图片 (`<img src="data:image/png;base64,..."/>`)。
+
+多个净化规则可以被同时定义，只要section名称最后一位不重复即可。如： `[markup.sanitizer.TeX-2]`。
+为了针对一种渲染类型进行一个特殊的净化策略，必须使用形如 `[markup.sanitizer.asciidoc.rule-1]` 的方式来命名 seciton。
+如果此规则没有匹配到任何渲染类型，它将会被应用到所有的渲染类型。
 
 ## Time (`time`)