Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Set pre-step status to `skipped` if job is skipped (go-gitea#29489)
  Use a predictiable fork URL to allow forking repositories without providing a repo ID (go-gitea#29519)
  Adding back missing options to app.example.ini (go-gitea#29511)
  Refactor the "attachments" sub-template data key to RenderedContent (go-gitea#29517)
  Rename Str2html to SanitizeHTML and clarify its behavior (go-gitea#29516)
  Add admin API route for managing user's badges (go-gitea#23106)
  Refactor some Str2html code (go-gitea#29397)
  Move migration functions to services layer (go-gitea#29497)

Author: zjjhot

custom/conf/app.example.ini

@@ -956,6 +956,12 @@ LEVEL = Info
 ;GO_GET_CLONE_URL_PROTOCOL = https
 ;;
 ;; Close issues as long as a commit on any branch marks it as fixed
+;DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false
+;;
+;; Allow users to push local repositories to Gitea and have them automatically created for a user or an org
+;ENABLE_PUSH_CREATE_USER = false
+;ENABLE_PUSH_CREATE_ORG = false
+;;
 ;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages, repo.actions.
 ;DISABLED_REPO_UNITS =
 ;;

docs/content/administration/mail-templates.en-us.md

@@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages
         {{if not (eq .Body "")}}
             <h3>Message content</h3>
             <hr>
-            {{.Body | Str2html}}
+            {{.Body | SanitizeHTML}}
         {{end}}
     </p>
     <hr>
@@ -260,19 +260,19 @@ The template system contains several functions that can be used to further proce
 the messages. Here's a list of some of them:
 
 | Name             | Parameters  | Available | Usage                                                                       |
-| ---------------- | ----------- | --------- | --------------------------------------------------------------------------- |
+| ---------------- | ----------- | --------- |-----------------------------------------------------------------------------|
 | `AppUrl`         | -           | Any       | Gitea's URL                                                                 |
 | `AppName`        | -           | Any       | Set from `app.ini`, usually "Gitea"                                         |
 | `AppDomain`      | -           | Any       | Gitea's host name                                                           |
 | `EllipsisString` | string, int | Any       | Truncates a string to the specified length; adds ellipsis as needed         |
-| `Str2html`       | string      | Body only | Sanitizes text by removing any HTML tags from it.                           |
+| `SanitizeHTML`   | string      | Body only | Sanitizes text by removing any dangerous HTML tags from it.                 |
 | `SafeHTML`       | string      | Body only | Takes the input as HTML; can be used for `.ReviewComments.RenderedContent`. |
 
 These are _functions_, not metadata, so they have to be used:
 
 ```html
-Like this:         {{Str2html "Escape<my>text"}}
-Or this:           {{"Escape<my>text" | Str2html}}
+Like this:         {{SanitizeHTML "Escape<my>text"}}
+Or this:           {{"Escape<my>text" | SanitizeHTML}}
 Or this:           {{AppUrl}}
 But not like this: {{.AppUrl}}
 ```

docs/content/administration/mail-templates.zh-cn.md

@@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
         {{if not (eq .Body "")}}
             <h3>消息内容：</h3>
             <hr>
-            {{.Body | Str2html}}
+            {{.Body | SanitizeHTML}}
         {{end}}
     </p>
     <hr>
@@ -242,20 +242,20 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
 
 模板系统包含一些函数，可用于进一步处理和格式化消息。以下是其中一些函数的列表：
 
-| 函数名              | 参数        | 可用于       | 用法                                                                              |
-|------------------| ----------- | ------------ | --------------------------------------------------------------------------------- |
-| `AppUrl`         | -           | 任何地方     | Gitea 的 URL                                                                     |
-| `AppName`        | -           | 任何地方     | 从 `app.ini` 中设置，通常为 "Gitea"                                               |
-| `AppDomain`      | -           | 任何地方     | Gitea 的主机名                                                                   |
-| `EllipsisString` | string, int | 任何地方     | 将字符串截断为指定长度；根据需要添加省略号                                        |
-| `Str2html`       | string      | 仅正文部分   | 通过删除其中的 HTML 标签对文本进行清理                                              |
-| `SafeHTML`       | string      | 仅正文部分   | 将输入作为 HTML 处理；可用于 `.ReviewComments.RenderedContent` 等字段               |
+| 函数名              | 参数        | 可用于       | 用法                                                      |
+|------------------| ----------- | ------------ |---------------------------------------------------------|
+| `AppUrl`         | -           | 任何地方     | Gitea 的 URL                                             |
+| `AppName`        | -           | 任何地方     | 从 `app.ini` 中设置，通常为 "Gitea"                             |
+| `AppDomain`      | -           | 任何地方     | Gitea 的主机名                                              |
+| `EllipsisString` | string, int | 任何地方     | 将字符串截断为指定长度；根据需要添加省略号                                   |
+| `SanitizeHTML`   | string      | 仅正文部分   | 通过删除其中的危险 HTML 标签对文本进行清理                                |
+| `SafeHTML`       | string      | 仅正文部分   | 将输入作为 HTML 处理；可用于 `.ReviewComments.RenderedContent` 等字段 |
 
 这些都是 _函数_，而不是元数据，因此必须按以下方式使用：
 
 ```html
-像这样使用：         {{Str2html "Escape<my>text"}}
-或者这样使用：       {{"Escape<my>text" | Str2html}}
+像这样使用：         {{SanitizeHTML "Escape<my>text"}}
+或者这样使用：       {{"Escape<my>text" | SanitizeHTML}}
 或者这样使用：       {{AppUrl}}
 但不要像这样使用：   {{.AppUrl}}
 ```

models/issues/comment.go

@@ -8,6 +8,7 @@ package issues
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"strconv"
 	"unicode/utf8"
 
@@ -259,8 +260,8 @@ type Comment struct {
 	CommitID        int64
 	Line            int64 // - previous line / + proposed line
 	TreePath        string
-	Content         string `xorm:"LONGTEXT"`
-	RenderedContent string `xorm:"-"`
+	Content         string        `xorm:"LONGTEXT"`
+	RenderedContent template.HTML `xorm:"-"`
 
 	// Path represents the 4 lines of code cemented by this comment
 	Patch       string `xorm:"-"`

models/issues/issue.go

@@ -7,6 +7,7 @@ package issues
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"regexp"
 	"slices"
 
@@ -105,7 +106,7 @@ type Issue struct {
 	OriginalAuthorID int64                  `xorm:"index"`
 	Title            string                 `xorm:"name"`
 	Content          string                 `xorm:"LONGTEXT"`
-	RenderedContent  string                 `xorm:"-"`
+	RenderedContent  template.HTML          `xorm:"-"`
 	Labels           []*Label               `xorm:"-"`
 	MilestoneID      int64                  `xorm:"INDEX"`
 	Milestone        *Milestone             `xorm:"-"`

models/issues/milestone.go

@@ -6,6 +6,7 @@ package issues
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
@@ -47,8 +48,8 @@ type Milestone struct {
 	RepoID          int64                  `xorm:"INDEX"`
 	Repo            *repo_model.Repository `xorm:"-"`
 	Name            string
-	Content         string `xorm:"TEXT"`
-	RenderedContent string `xorm:"-"`
+	Content         string        `xorm:"TEXT"`
+	RenderedContent template.HTML `xorm:"-"`
 	IsClosed        bool
 	NumIssues       int
 	NumClosedIssues int

models/migrations/migrations.go

@@ -558,6 +558,8 @@ var migrations = []Migration{
 	NewMigration("Add PreviousDuration to ActionRun", v1_22.AddPreviousDurationToActionRun),
 	// v286 -> v287
 	NewMigration("Add support for SHA256 git repositories", v1_22.AdjustDBForSha256),
+	// v287 -> v288
+	NewMigration("Use Slug instead of ID for Badges", v1_22.UseSlugInsteadOfIDForBadges),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_22/v287.go

@@ -0,0 +1,46 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_22 //nolint
+
+import (
+	"xorm.io/xorm"
+)
+
+type BadgeUnique struct {
+	ID   int64  `xorm:"pk autoincr"`
+	Slug string `xorm:"UNIQUE"`
+}
+
+func (BadgeUnique) TableName() string {
+	return "badge"
+}
+
+func UseSlugInsteadOfIDForBadges(x *xorm.Engine) error {
+	type Badge struct {
+		Slug string
+	}
+
+	err := x.Sync(new(Badge))
+	if err != nil {
+		return err
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+
+	_, err = sess.Exec("UPDATE `badge` SET `slug` = `id` Where `slug` IS NULL")
+	if err != nil {
+		return err
+	}
+
+	err = sess.Sync(new(BadgeUnique))
+	if err != nil {
+		return err
+	}
+
+	return sess.Commit()
+}

models/migrations/v1_22/v287_test.go

@@ -0,0 +1,57 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_22 //nolint
+
+import (
+	"fmt"
+	"testing"
+
+	"code.gitea.io/gitea/models/migrations/base"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_UpdateBadgeColName(t *testing.T) {
+	type Badge struct {
+		ID          int64 `xorm:"pk autoincr"`
+		Description string
+		ImageURL    string
+	}
+
+	// Prepare and load the testing database
+	x, deferable := base.PrepareTestEnv(t, 0, new(BadgeUnique), new(Badge))
+	defer deferable()
+	if x == nil || t.Failed() {
+		return
+	}
+
+	oldBadges := []Badge{
+		{ID: 1, Description: "Test Badge 1", ImageURL: "https://example.com/badge1.png"},
+		{ID: 2, Description: "Test Badge 2", ImageURL: "https://example.com/badge2.png"},
+		{ID: 3, Description: "Test Badge 3", ImageURL: "https://example.com/badge3.png"},
+	}
+
+	for _, badge := range oldBadges {
+		_, err := x.Insert(&badge)
+		assert.NoError(t, err)
+	}
+
+	if err := UseSlugInsteadOfIDForBadges(x); err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
+	got := []BadgeUnique{}
+	if err := x.Table("badge").Asc("id").Find(&got); !assert.NoError(t, err) {
+		return
+	}
+
+	for i, e := range oldBadges {
+		got := got[i]
+		assert.Equal(t, e.ID, got.ID)
+		assert.Equal(t, fmt.Sprintf("%d", e.ID), got.Slug)
+	}
+
+	// TODO: check if badges have been updated
+}

models/project/project.go

@@ -6,6 +6,7 @@ package project
 import (
 	"context"
 	"fmt"
+	"html/template"
 
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -100,7 +101,7 @@ type Project struct {
 	CardType    CardType
 	Type        Type
 
-	RenderedContent string `xorm:"-"`
+	RenderedContent template.HTML `xorm:"-"`
 
 	CreatedUnix    timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix    timeutil.TimeStamp `xorm:"INDEX updated"`

models/repo/release.go

@@ -7,6 +7,7 @@ package repo
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"net/url"
 	"sort"
 	"strconv"
@@ -80,7 +81,7 @@ type Release struct {
 	NumCommits       int64
 	NumCommitsBehind int64              `xorm:"-"`
 	Note             string             `xorm:"TEXT"`
-	RenderedNote     string             `xorm:"-"`
+	RenderedNote     template.HTML      `xorm:"-"`
 	IsDraft          bool               `xorm:"NOT NULL DEFAULT false"`
 	IsPrerelease     bool               `xorm:"NOT NULL DEFAULT false"`
 	IsTag            bool               `xorm:"NOT NULL DEFAULT false"` // will be true only if the record is a tag and has no related releases

models/user/badge.go

@@ -5,13 +5,15 @@ package user
 
 import (
 	"context"
+	"fmt"
 
 	"code.gitea.io/gitea/models/db"
 )
 
 // Badge represents a user badge
 type Badge struct {
-	ID          int64 `xorm:"pk autoincr"`
+	ID          int64  `xorm:"pk autoincr"`
+	Slug        string `xorm:"UNIQUE"`
 	Description string
 	ImageURL    string
 }
@@ -39,3 +41,84 @@ func GetUserBadges(ctx context.Context, u *User) ([]*Badge, int64, error) {
 	count, err := sess.FindAndCount(&badges)
 	return badges, count, err
 }
+
+// CreateBadge creates a new badge.
+func CreateBadge(ctx context.Context, badge *Badge) error {
+	_, err := db.GetEngine(ctx).Insert(badge)
+	return err
+}
+
+// GetBadge returns a badge
+func GetBadge(ctx context.Context, slug string) (*Badge, error) {
+	badge := new(Badge)
+	has, err := db.GetEngine(ctx).Where("slug=?", slug).Get(badge)
+	if !has {
+		return nil, err
+	}
+	return badge, err
+}
+
+// UpdateBadge updates a badge based on its slug.
+func UpdateBadge(ctx context.Context, badge *Badge) error {
+	_, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Update(badge)
+	return err
+}
+
+// DeleteBadge deletes a badge.
+func DeleteBadge(ctx context.Context, badge *Badge) error {
+	_, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Delete(badge)
+	return err
+}
+
+// AddUserBadge adds a badge to a user.
+func AddUserBadge(ctx context.Context, u *User, badge *Badge) error {
+	return AddUserBadges(ctx, u, []*Badge{badge})
+}
+
+// AddUserBadges adds badges to a user.
+func AddUserBadges(ctx context.Context, u *User, badges []*Badge) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		for _, badge := range badges {
+			// hydrate badge and check if it exists
+			has, err := db.GetEngine(ctx).Where("slug=?", badge.Slug).Get(badge)
+			if err != nil {
+				return err
+			} else if !has {
+				return fmt.Errorf("badge with slug %s doesn't exist", badge.Slug)
+			}
+			if err := db.Insert(ctx, &UserBadge{
+				BadgeID: badge.ID,
+				UserID:  u.ID,
+			}); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
+
+// RemoveUserBadge removes a badge from a user.
+func RemoveUserBadge(ctx context.Context, u *User, badge *Badge) error {
+	return RemoveUserBadges(ctx, u, []*Badge{badge})
+}
+
+// RemoveUserBadges removes badges from a user.
+func RemoveUserBadges(ctx context.Context, u *User, badges []*Badge) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		for _, badge := range badges {
+			if _, err := db.GetEngine(ctx).
+				Join("INNER", "badge", "badge.id = `user_badge`.badge_id").
+				Where("`user_badge`.user_id=? AND `badge`.slug=?", u.ID, badge.Slug).
+				Delete(&UserBadge{}); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
+
+// RemoveAllUserBadges removes all badges from a user.
+func RemoveAllUserBadges(ctx context.Context, u *User) error {
+	_, err := db.GetEngine(ctx).Where("user_id=?", u.ID).Delete(&UserBadge{})
+	return err
+}