From 4f267ef64343f790ecbe23299effbc806f77ef6d Mon Sep 17 00:00:00 2001
From: a1012112796 <1012112796@qq.com>
Date: Fri, 15 Jul 2022 22:21:54 +0800
Subject: [PATCH 1/7] Allow access to the Public Organization Member lists with
 minimal permissions (#20330)

Examining Organization membership should not necessarily require sign-in if the organization is public and the members are public. Therefore we should adjust `/org/{org}/members` to not require login.

Fix #7501

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: zeripath <art27@cantab.net>
---
 modules/context/org.go  | 15 +++++++++++++++
 routers/web/org/home.go |  5 -----
 routers/web/web.go      |  7 ++++++-
 templates/org/home.tmpl |  8 +++-----
 4 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/modules/context/org.go b/modules/context/org.go
index 9f4ce485e5ee..d020befa4016 100644
--- a/modules/context/org.go
+++ b/modules/context/org.go
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 )
 
 // Organization contains organization context
@@ -69,6 +70,20 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 		return
 	}
 	org := ctx.Org.Organization
+
+	// Handle Visibility
+	if org.Visibility != structs.VisibleTypePublic && !ctx.IsSigned {
+		// We must be signed in to see limited or private organizations
+		ctx.NotFound("OrgAssignment", err)
+		return
+	}
+
+	if org.Visibility == structs.VisibleTypePrivate {
+		requireMember = true
+	} else if ctx.IsSigned && ctx.Doer.IsRestricted {
+		requireMember = true
+	}
+
 	ctx.ContextUser = org.AsUser()
 	ctx.Data["Org"] = org
 
diff --git a/routers/web/org/home.go b/routers/web/org/home.go
index d565a0c24240..63243a391f0e 100644
--- a/routers/web/org/home.go
+++ b/routers/web/org/home.go
@@ -39,11 +39,6 @@ func Home(ctx *context.Context) {
 
 	org := ctx.Org.Organization
 
-	if !organization.HasOrgOrUserVisible(ctx, org.AsUser(), ctx.Doer) {
-		ctx.NotFound("HasOrgOrUserVisible", nil)
-		return
-	}
-
 	ctx.Data["PageIsUserProfile"] = true
 	ctx.Data["Title"] = org.DisplayName()
 	if len(org.Description) != 0 {
diff --git a/routers/web/web.go b/routers/web/web.go
index ae273d99e4ff..fbece620b1c3 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -610,6 +610,12 @@ func RegisterRoutes(m *web.Route) {
 	}
 
 	// ***** START: Organization *****
+	m.Group("/org", func() {
+		m.Group("/{org}", func() {
+			m.Get("/members", org.Members)
+		}, context.OrgAssignment())
+	}, ignSignIn)
+
 	m.Group("/org", func() {
 		m.Group("", func() {
 			m.Get("/create", org.Create)
@@ -625,7 +631,6 @@ func RegisterRoutes(m *web.Route) {
 			m.Get("/pulls/{team}", user.Pulls)
 			m.Get("/milestones", reqMilestonesDashboardPageEnabled, user.Milestones)
 			m.Get("/milestones/{team}", reqMilestonesDashboardPageEnabled, user.Milestones)
-			m.Get("/members", org.Members)
 			m.Post("/members/action/{action}", org.MembersAction)
 			m.Get("/teams", org.Teams)
 		}, context.OrgAssignment(true, false, true))
diff --git a/templates/org/home.tmpl b/templates/org/home.tmpl
index 06a9a3680354..3ff86259d53f 100644
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@@ -41,11 +41,9 @@
 				{{end}}
 				<h4 class="ui top attached header df">
 					<strong class="f1">{{.locale.Tr "org.people"}}</strong>
-					{{if .IsOrganizationMember}}
-						<div class="ui">
-							<a class="text grey dif ac" href="{{.OrgLink}}/members"><span>{{.Org.NumMembers}}</span> {{svg "octicon-chevron-right"}}</a>
-						</div>
-					{{end}}
+					<div class="ui">
+						<a class="text grey dif ac" href="{{.OrgLink}}/members"><span>{{.MembersTotal}}</span> {{svg "octicon-chevron-right"}}</a>
+					</div>
 				</h4>
 				<div class="ui attached segment members">
 					{{$isMember := .IsOrganizationMember}}

From dbd3b7f9fd367ffabc89706e19af85713f0e0e11 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 15 Jul 2022 16:20:05 +0100
Subject: [PATCH 2/7] Initialize cron last (#20373)

Cron will try to run certain things at startup but these depend on multiple things
being set-up. Therefore we should initialize cron last.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/init.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/routers/init.go b/routers/init.go
index 72ccf3526c1f..e640ca48453b 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -141,7 +141,6 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(repo_service.Init)
 
 	// Booting long running goroutines.
-	cron.NewContext(ctx)
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()
 	mustInit(stats_indexer.Init)
@@ -160,6 +159,9 @@ func GlobalInitInstalled(ctx context.Context) {
 
 	auth.Init()
 	svg.Init()
+
+	// Finally start up the cron
+	cron.NewContext(ctx)
 }
 
 // NormalRoutes represents non install routes

From 57e0bf43eb3d93933aac351958599b6623ddf978 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Fri, 15 Jul 2022 18:39:03 +0000
Subject: [PATCH 3/7] Set target on create release with existing tag (#20381)

When you create a new release(e.g. via Tea) and specify a tag that already exists on
the repository, Gitea will instead use the `UpdateRelease`
functionality. However it currently doesn't set the Target field. This
PR fixes that.
---
 routers/api/v1/repo/release.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go
index 8dfe7e06d26f..80009f78e99c 100644
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@@ -224,6 +224,7 @@ func CreateRelease(ctx *context.APIContext) {
 		rel.IsTag = false
 		rel.Repo = ctx.Repo.Repository
 		rel.Publisher = ctx.Doer
+		rel.Target = form.Target
 
 		if err = release_service.UpdateRelease(ctx.Doer, ctx.Repo.GitRepo, rel, nil, nil, nil); err != nil {
 			ctx.Error(http.StatusInternalServerError, "UpdateRelease", err)

From fee0e4dbeac842e606846eda1d311fed352da3b8 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sat, 16 Jul 2022 08:10:02 +0800
Subject: [PATCH 4/7] Remove confusing TrimPrefix(... git.BranchPrefix)
 (#20369)

Make Repository.GetDefaultBranch return the real branch name, instead of the ref name. Then there is no need to do TrimPrefix for repo.DefaultBranch
---
 modules/git/repo_branch.go   | 10 +++++++++-
 services/repository/adopt.go |  2 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/git/repo_branch.go b/modules/git/repo_branch.go
index 8e455480e727..17d243808e9c 100644
--- a/modules/git/repo_branch.go
+++ b/modules/git/repo_branch.go
@@ -7,6 +7,7 @@ package git
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 )
@@ -72,7 +73,14 @@ func (repo *Repository) SetDefaultBranch(name string) error {
 // GetDefaultBranch gets default branch of repository.
 func (repo *Repository) GetDefaultBranch() (string, error) {
 	stdout, _, err := NewCommand(repo.Ctx, "symbolic-ref", "HEAD").RunStdString(&RunOpts{Dir: repo.Path})
-	return stdout, err
+	if err != nil {
+		return "", err
+	}
+	stdout = strings.TrimSpace(stdout)
+	if !strings.HasPrefix(stdout, BranchPrefix) {
+		return "", errors.New("the HEAD is not a branch: " + stdout)
+	}
+	return strings.TrimPrefix(stdout, BranchPrefix), nil
 }
 
 // GetBranch returns a branch by it's name
diff --git a/services/repository/adopt.go b/services/repository/adopt.go
index 48f049cd2811..6d6611c705f8 100644
--- a/services/repository/adopt.go
+++ b/services/repository/adopt.go
@@ -143,8 +143,6 @@ func adoptRepository(ctx context.Context, repoPath string, u *user_model.User, r
 				return fmt.Errorf("setDefaultBranch: %v", err)
 			}
 		}
-
-		repo.DefaultBranch = strings.TrimPrefix(repo.DefaultBranch, git.BranchPrefix)
 	}
 	branches, _, _ := gitRepo.GetBranchNames(0, 0)
 	found := false

From ce8e06f9f30f0ff3800d0d8da3c7d3044c71c64a Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sat, 16 Jul 2022 00:20:56 +0000
Subject: [PATCH 5/7] [skip ci] Updated translations via Crowdin

---
 options/locale/locale_pt-PT.ini | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index f84a72381ee5..b18bb0cbb820 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -2540,6 +2540,8 @@ users.delete_account=Eliminar conta de utilizador
 users.cannot_delete_self=Não se pode eliminar a si próprio
 users.still_own_repo=Este utilizador ainda possui um ou mais repositórios. Elimine ou transfira esses repositórios primeiro.
 users.still_has_org=Este utilizador é membro de uma organização. Remova, primeiro, o utilizador de todas as organizações.
+users.purge=Eliminar utilizador
+users.purge_help=Eliminar o utilizador à força, juntamente com todos os seus repositórios, organizações e pacotes. Também serão eliminados todos os seus comentários.
 users.still_own_packages=Este utilizador ainda possui um ou mais pacotes. Elimine esses pacotes primeiro.
 users.deletion_success=A conta de utilizador foi eliminada.
 users.reset_2fa=Reinicializar a autenticação em dois passos

From 6247a1dd5d4f9b103feb7b3fd71463bc66f5c288 Mon Sep 17 00:00:00 2001
From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com>
Date: Sat, 16 Jul 2022 06:58:56 -0600
Subject: [PATCH 6/7] Comment on PrivateUsers option for gitea.service (#20383)

* Comment on PrivateUsers option for gitea.service

A user happens to encounter an issue where PrivateUsers sandboxed Gitea.service and it effectively stop systemd from applying capabilities for that gitea.service. I am opening this PR to provide comments on PrivateUsers, effectively a tiny FAQ information for end-user.
---
 contrib/systemd/gitea.service | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service
index d6a4377ec809..79c34564bc97 100644
--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@@ -78,6 +78,13 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 #AmbientCapabilities=CAP_NET_BIND_SERVICE
 ###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on gitea process. The following
+# value if set to true sandboxes gitea service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###
 
 [Install]
 WantedBy=multi-user.target

From 17ce5f86608b6d14309b772db0578f09bd034bbf Mon Sep 17 00:00:00 2001
From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com>
Date: Sun, 17 Jul 2022 00:20:41 +0000
Subject: [PATCH 7/7] [skip ci] Updated licenses and gitignores

---
 options/gitignore/Bazel                  |  2 +-
 options/license/GStreamer-exception-2005 |  1 +
 options/license/GStreamer-exception-2008 |  1 +
 options/license/Minpack                  | 51 ++++++++++++++++++++++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 options/license/GStreamer-exception-2005
 create mode 100644 options/license/GStreamer-exception-2008
 create mode 100644 options/license/Minpack

diff --git a/options/gitignore/Bazel b/options/gitignore/Bazel
index 4e1d5a2ba0a4..bc3afc20ba69 100644
--- a/options/gitignore/Bazel
+++ b/options/gitignore/Bazel
@@ -6,7 +6,7 @@
 /bazel-*
 
 # Directories for the Bazel IntelliJ plugin containing the generated
-# IntelliJ project files and plugin configuration. Separate directories are
+# IntelliJ project files and plugin configuration. Seperate directories are
 # for the IntelliJ, Android Studio and CLion versions of the plugin.
 /.ijwb/
 /.aswb/
diff --git a/options/license/GStreamer-exception-2005 b/options/license/GStreamer-exception-2005
new file mode 100644
index 000000000000..95ff750da325
--- /dev/null
+++ b/options/license/GStreamer-exception-2005
@@ -0,0 +1 @@
+The Totem project hereby grant permission for non-gpl compatible GStreamer plugins to be used and distributed together with GStreamer and Totem. This permission are above and beyond the permissions granted by the GPL license Totem is covered by.
diff --git a/options/license/GStreamer-exception-2008 b/options/license/GStreamer-exception-2008
new file mode 100644
index 000000000000..28927e533ef7
--- /dev/null
+++ b/options/license/GStreamer-exception-2008
@@ -0,0 +1 @@
+This project hereby grants permission for non-GPL compatible GStreamer plugins to be used and distributed together with GStreamer and this project. This permission is above and beyond the permissions granted by the GPL license by which this project is covered. If you modify this code, you may extend this exception to your version of the code, but you are not obligated to do so.  If you do not wish to do so, delete this exception statement from your version.
diff --git a/options/license/Minpack b/options/license/Minpack
new file mode 100644
index 000000000000..132cc3f33fa7
--- /dev/null
+++ b/options/license/Minpack
@@ -0,0 +1,51 @@
+Minpack Copyright Notice (1999) University of Chicago.  All rights reserved
+
+Redistribution and use in source and binary forms, with or
+without modification, are permitted provided that the
+following conditions are met:
+
+1. Redistributions of source code must retain the above
+copyright notice, this list of conditions and the following
+disclaimer.
+
+2. Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following
+disclaimer in the documentation and/or other materials
+provided with the distribution.
+
+3. The end-user documentation included with the
+redistribution, if any, must include the following
+acknowledgment:
+
+   "This product includes software developed by the
+   University of Chicago, as Operator of Argonne National
+   Laboratory.
+
+Alternately, this acknowledgment may appear in the software
+itself, if and wherever such third-party acknowledgments
+normally appear.
+
+4. WARRANTY DISCLAIMER. THE SOFTWARE IS SUPPLIED "AS IS"
+WITHOUT WARRANTY OF ANY KIND. THE COPYRIGHT HOLDER, THE
+UNITED STATES, THE UNITED STATES DEPARTMENT OF ENERGY, AND
+THEIR EMPLOYEES: (1) DISCLAIM ANY WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE
+OR NON-INFRINGEMENT, (2) DO NOT ASSUME ANY LEGAL LIABILITY
+OR RESPONSIBILITY FOR THE ACCURACY, COMPLETENESS, OR
+USEFULNESS OF THE SOFTWARE, (3) DO NOT REPRESENT THAT USE OF
+THE SOFTWARE WOULD NOT INFRINGE PRIVATELY OWNED RIGHTS, (4)
+DO NOT WARRANT THAT THE SOFTWARE WILL FUNCTION
+UNINTERRUPTED, THAT IT IS ERROR-FREE OR THAT ANY ERRORS WILL
+BE CORRECTED.
+
+5. LIMITATION OF LIABILITY. IN NO EVENT WILL THE COPYRIGHT
+HOLDER, THE UNITED STATES, THE UNITED STATES DEPARTMENT OF
+ENERGY, OR THEIR EMPLOYEES: BE LIABLE FOR ANY INDIRECT,
+INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF
+ANY KIND OR NATURE, INCLUDING BUT NOT LIMITED TO LOSS OF
+PROFITS OR LOSS OF DATA, FOR ANY REASON WHATSOEVER, WHETHER
+SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT
+(INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE,
+EVEN IF ANY OF SAID PARTIES HAS BEEN WARNED OF THE
+POSSIBILITY OF SUCH LOSS OR DAMAGES.