Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Document that all unmerged feature PRs will be moved to next milestone when the feature freeze time comes (go-gitea#29578)
  Make admin pages wider because of left sidebar added and some tables become too narrow (go-gitea#29581)
  Refactor star/watch button (go-gitea#29576)
  Remove unnecessary SanitizeHTML from code (go-gitea#29575)
  Add missing database transaction for new issue (go-gitea#29490)
  Fix incorrect package link method calls in templates (go-gitea#29580)
  Move some asymkey functions to service layer (go-gitea#28894)
  Add user blocking (go-gitea#29028)

# Conflicts:
#	templates/repo/issue/view_content/context_menu.tmpl

CONTRIBUTING.md

@@ -464,7 +464,7 @@ We assume in good faith that the information you provide is legally binding.
 We adopted a release schedule to streamline the process of working on, finishing, and issuing releases. \
 The overall goal is to make a major release every three or four months, which breaks down into two or three months of general development followed by one month of testing and polishing known as the release freeze. \
 All the feature pull requests should be
-merged before feature freeze. And, during the frozen period, a corresponding
+merged before feature freeze. All feature pull requests haven't been merged before this feature freeze will be moved to next milestone, please notice our feature freeze announcement on discord. And, during the frozen period, a corresponding
 release branch is open for fixes backported from main branch. Release candidates
 are made during this period for user testing to
 obtain a final version that is maintained in this branch.

cmd/admin_regenerate.go

@@ -4,8 +4,8 @@
 package cmd
 
 import (
-	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/modules/graceful"
+	asymkey_service "code.gitea.io/gitea/services/asymkey"
 	repo_service "code.gitea.io/gitea/services/repository"
 
 	"github.com/urfave/cli/v2"
@@ -42,5 +42,5 @@ func runRegenerateKeys(_ *cli.Context) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}
-	return asymkey_model.RewriteAllPublicKeys(ctx)
+	return asymkey_service.RewriteAllPublicKeys(ctx)
 }

docs/content/administration/mail-templates.en-us.md

@@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages
         {{if not (eq .Body "")}}
             <h3>Message content</h3>
             <hr>
-            {{.Body | SanitizeHTML}}
+            {{.Body}}
         {{end}}
     </p>
     <hr>

docs/content/administration/mail-templates.zh-cn.md

@@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/
         {{if not (eq .Body "")}}
             <h3>消息内容：</h3>
             <hr>
-            {{.Body | SanitizeHTML}}
+            {{.Body}}
         {{end}}
     </p>
     <hr>

docs/content/usage/blocking-users.en-us.md

@@ -0,0 +1,56 @@
+---
+date: "2024-01-31T00:00:00+00:00"
+title: "Blocking a user"
+slug: "blocking-user"
+sidebar_position: 25
+toc: false
+draft: false
+aliases:
+  - /en-us/webhooks
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Blocking a user"
+    sidebar_position: 30
+    identifier: "blocking-user"
+---
+
+# Blocking a user
+
+Gitea supports blocking of users to restrict how they can interact with you and your content.
+
+You can block a user in your account settings, from the user's profile or from comments created by the user.
+The user is not directly notified about the block, but they can notice they are blocked when they attempt to interact with you.
+Organization owners can block anyone who is not a member of the organization too.
+If a blocked user has admin permissions, they can still perform all actions even if blocked.
+
+### When you block a user
+
+- the user stops following you
+- you stop following the user
+- the user's stars are removed from your repositories
+- your stars are removed from their repositories
+- the user stops watching your repositories
+- you stop watching their repositories
+- the user's issue assignments are removed from your repositories
+- your issue assignments are removed from their repositories
+- the user is removed as a collaborator on your repositories
+- you are removed as a collaborator on their repositories
+- any pending repository transfers to or from the blocked user are canceled
+
+### When you block a user, the user cannot
+
+- follow you
+- watch your repositories
+- star your repositories
+- fork your repositories
+- transfer repositories to you
+- open issues or pull requests on your repositories
+- comment on issues or pull requests you've created
+- comment on issues or pull requests on your repositories
+- react to your comments on issues or pull requests
+- react to comments on issues or pull requests on your repositories
+- assign you to issues or pull requests
+- add you as a collaborator on their repositories
+- send you notifications by @mentioning your username
+- be added as team member (if blocked by an organization)

models/asymkey/ssh_key_authorized_keys.go

@@ -12,7 +12,6 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
-	"time"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
@@ -44,6 +43,12 @@ const (
 
 var sshOpLocker sync.Mutex
 
+func WithSSHOpLocker(f func() error) error {
+	sshOpLocker.Lock()
+	defer sshOpLocker.Unlock()
+	return f()
+}
+
 // AuthorizedStringForKey creates the authorized keys string appropriate for the provided key
 func AuthorizedStringForKey(key *PublicKey) string {
 	sb := &strings.Builder{}
@@ -114,65 +119,6 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 	return nil
 }
 
-// RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again.
-// Note: db.GetEngine(ctx).Iterate does not get latest data after insert/delete, so we have to call this function
-// outside any session scope independently.
-func RewriteAllPublicKeys(ctx context.Context) error {
-	// Don't rewrite key if internal server
-	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile {
-		return nil
-	}
-
-	sshOpLocker.Lock()
-	defer sshOpLocker.Unlock()
-
-	if setting.SSH.RootPath != "" {
-		// First of ensure that the RootPath is present, and if not make it with 0700 permissions
-		// This of course doesn't guarantee that this is the right directory for authorized_keys
-		// but at least if it's supposed to be this directory and it doesn't exist and we're the
-		// right user it will at least be created properly.
-		err := os.MkdirAll(setting.SSH.RootPath, 0o700)
-		if err != nil {
-			log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err)
-			return err
-		}
-	}
-
-	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
-	tmpPath := fPath + ".tmp"
-	t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		t.Close()
-		if err := util.Remove(tmpPath); err != nil {
-			log.Warn("Unable to remove temporary authorized keys file: %s: Error: %v", tmpPath, err)
-		}
-	}()
-
-	if setting.SSH.AuthorizedKeysBackup {
-		isExist, err := util.IsExist(fPath)
-		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", fPath, err)
-			return err
-		}
-		if isExist {
-			bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
-			if err = util.CopyFile(fPath, bakPath); err != nil {
-				return err
-			}
-		}
-	}
-
-	if err := RegeneratePublicKeys(ctx, t); err != nil {
-		return err
-	}
-
-	t.Close()
-	return util.Rename(tmpPath, fPath)
-}
-
 // RegeneratePublicKeys regenerates the authorized_keys file
 func RegeneratePublicKeys(ctx context.Context, t io.StringWriter) error {
 	if err := db.GetEngine(ctx).Where("type != ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean any) (err error) {

models/asymkey/ssh_key_principals.go

@@ -9,51 +9,11 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )
 
-// AddPrincipalKey adds new principal to database and authorized_principals file.
-func AddPrincipalKey(ctx context.Context, ownerID int64, content string, authSourceID int64) (*PublicKey, error) {
-	dbCtx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	defer committer.Close()
-
-	// Principals cannot be duplicated.
-	has, err := db.GetEngine(dbCtx).
-		Where("content = ? AND type = ?", content, KeyTypePrincipal).
-		Get(new(PublicKey))
-	if err != nil {
-		return nil, err
-	} else if has {
-		return nil, ErrKeyAlreadyExist{0, "", content}
-	}
-
-	key := &PublicKey{
-		OwnerID:       ownerID,
-		Name:          content,
-		Content:       content,
-		Mode:          perm.AccessModeWrite,
-		Type:          KeyTypePrincipal,
-		LoginSourceID: authSourceID,
-	}
-	if err = db.Insert(dbCtx, key); err != nil {
-		return nil, fmt.Errorf("addKey: %w", err)
-	}
-
-	if err = committer.Commit(); err != nil {
-		return nil, err
-	}
-
-	committer.Close()
-
-	return key, RewriteAllPrincipalKeys(ctx)
-}
-
 // CheckPrincipalKeyString strips spaces and returns an error if the given principal contains newlines
 func CheckPrincipalKeyString(ctx context.Context, user *user_model.User, content string) (_ string, err error) {
 	if setting.SSH.Disabled {

models/fixtures/access.yml

@@ -42,120 +42,132 @@
 
 -
   id: 8
-  user_id: 15
+  user_id: 10
   repo_id: 21
   mode: 2
 
 -
   id: 9
+  user_id: 10
+  repo_id: 32
+  mode: 2
+
+-
+  id: 10
+  user_id: 15
+  repo_id: 21
+  mode: 2
+
+-
+  id: 11
   user_id: 15
   repo_id: 22
   mode: 2
 
 -
-  id: 10
+  id: 12
   user_id: 15
   repo_id: 23
   mode: 4
 
 -
-  id: 11
+  id: 13
   user_id: 15
   repo_id: 24
   mode: 4
 
 -
-  id: 12
+  id: 14
   user_id: 15
   repo_id: 32
   mode: 2
 
 -
-  id: 13
+  id: 15
   user_id: 18
   repo_id: 21
   mode: 2
 
 -
-  id: 14
+  id: 16
   user_id: 18
   repo_id: 22
   mode: 2
 
 -
-  id: 15
+  id: 17
   user_id: 18
   repo_id: 23
   mode: 4
 
 -
-  id: 16
+  id: 18
   user_id: 18
   repo_id: 24
   mode: 4
 
 -
-  id: 17
+  id: 19
   user_id: 20
   repo_id: 24
   mode: 1
 
 -
-  id: 18
+  id: 20
   user_id: 20
   repo_id: 27
   mode: 4
 
 -
-  id: 19
+  id: 21
   user_id: 20
   repo_id: 28
   mode: 4
 
 -
-  id: 20
+  id: 22
   user_id: 29
   repo_id: 4
   mode: 2
 
 -
-  id: 21
+  id: 23
   user_id: 29
   repo_id: 24
   mode: 1
 
 -
-  id: 22
+  id: 24
   user_id: 31
   repo_id: 27
   mode: 4
 
 -
-  id: 23
+  id: 25
   user_id: 31
   repo_id: 28
   mode: 4
 
 -
-  id: 24
+  id: 26
   user_id: 38
   repo_id: 60
   mode: 2
 
 -
-  id: 25
+  id: 27
   user_id: 38
   repo_id: 61
   mode: 1
 
 -
-  id: 26
+  id: 28
   user_id: 39
   repo_id: 61
   mode: 1
 
 -
-  id: 27
+  id: 29
   user_id: 40
   repo_id: 61
   mode: 4