Merge branch 'master' into milestones

Author: lunny

custom/conf/app.ini.sample

@@ -877,6 +877,12 @@ SHOW_FOOTER_VERSION = true
 ; Show template execution time in the footer
 SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
 
+[markup.sanitizer]
+; The following keys can be used multiple times to define sanitation policy rules.
+;ELEMENT = span
+;ALLOW_ATTR = class
+;REGEXP = ^(info|warning|error)$
+
 [markup.asciidoc]
 ENABLED = false
 ; List of file extensions that should be rendered by an external command

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -578,6 +578,24 @@ Two special environment variables are passed to the render command:
 - `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.
 - `GITEA_PREFIX_RAW`, which contains the current URL prefix in the `raw` path tree. To be used as prefix for image paths.
 
+
+Gitea supports customizing the sanitization policy for rendered HTML. The example below will support KaTeX output from pandoc.
+
+```ini
+[markup.sanitizer]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+```
+
+ - `ELEMENT`: The element this policy applies to. Must be non-empty.
+ - `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
+ - `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
+
+You may redefine `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` multiple times; each time all three are defined is a single policy entry.
+
 ## Time (`time`)
 
 - `FORMAT`: Time format to diplay on UI. i.e. RFC1123 or 2006-01-02 15:04:05

docs/content/doc/advanced/external-renderers.en-us.md

@@ -68,4 +68,22 @@ RENDER_COMMAND = rst2html.py
 IS_INPUT_FILE = false
 ```
 
+If your external markup relies on additional classes and attributes on the generated HTML elements, you might need to enable custom sanitizer policies. Gitea uses the [`bluemonday`](https://godoc.org/github.com/microcosm-cc/bluemonday) package as our HTML sanitizier. The example below will support [KaTeX](https://katex.org/) output from [`pandoc`](https://pandoc.org/).
+
+```ini
+[markup.sanitizer]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+
+[markup.markdown]
+ENABLED         = true
+FILE_EXTENSIONS = .md,.markdown
+RENDER_COMMAND  = pandoc -f markdown -t html --katex
+```
+
+You may redefine `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` multiple times; each time all three are defined is a single policy entry. All three must be defined, but `REGEXP` may be blank to allow unconditional whitelisting of that attribute.
+
 Once your configuration changes have been made, restart Gitea to have changes take effect.

integrations/api_issue_reaction_test.go

@@ -0,0 +1,145 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+	"time"
+
+	"code.gitea.io/gitea/models"
+	api "code.gitea.io/gitea/modules/structs"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIIssuesReactions(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 1}).(*models.Issue)
+	_ = issue.LoadRepo()
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
+
+	session := loginUser(t, owner.Name)
+	token := getTokenForLoggedInUser(t, session)
+
+	user1 := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User)
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/reactions?token=%s",
+		owner.Name, issue.Repo.Name, issue.Index, token)
+
+	//Try to add not allowed reaction
+	req := NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
+		Reaction: "wrong",
+	})
+	resp := session.MakeRequest(t, req, http.StatusForbidden)
+
+	//Delete not allowed reaction
+	req = NewRequestWithJSON(t, "DELETE", urlStr, &api.EditReactionOption{
+		Reaction: "zzz",
+	})
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	//Add allowed reaction
+	req = NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
+		Reaction: "rocket",
+	})
+	resp = session.MakeRequest(t, req, http.StatusCreated)
+	var apiNewReaction api.ReactionResponse
+	DecodeJSON(t, resp, &apiNewReaction)
+
+	//Add existing reaction
+	resp = session.MakeRequest(t, req, http.StatusForbidden)
+
+	//Get end result of reaction list of issue #1
+	req = NewRequestf(t, "GET", urlStr)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	var apiReactions []*api.ReactionResponse
+	DecodeJSON(t, resp, &apiReactions)
+	expectResponse := make(map[int]api.ReactionResponse)
+	expectResponse[0] = api.ReactionResponse{
+		User:     user1.APIFormat(),
+		Reaction: "zzz",
+		Created:  time.Unix(1573248002, 0),
+	}
+	expectResponse[1] = api.ReactionResponse{
+		User:     user2.APIFormat(),
+		Reaction: "eyes",
+		Created:  time.Unix(1573248003, 0),
+	}
+	expectResponse[2] = apiNewReaction
+	assert.Len(t, apiReactions, 3)
+	for i, r := range apiReactions {
+		assert.Equal(t, expectResponse[i].Reaction, r.Reaction)
+		assert.Equal(t, expectResponse[i].Created.Unix(), r.Created.Unix())
+		assert.Equal(t, expectResponse[i].User.ID, r.User.ID)
+	}
+}
+
+func TestAPICommentReactions(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	comment := models.AssertExistsAndLoadBean(t, &models.Comment{ID: 2}).(*models.Comment)
+	_ = comment.LoadIssue()
+	issue := comment.Issue
+	_ = issue.LoadRepo()
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
+
+	session := loginUser(t, owner.Name)
+	token := getTokenForLoggedInUser(t, session)
+
+	user1 := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User)
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/reactions?token=%s",
+		owner.Name, issue.Repo.Name, comment.ID, token)
+
+	//Try to add not allowed reaction
+	req := NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
+		Reaction: "wrong",
+	})
+	resp := session.MakeRequest(t, req, http.StatusForbidden)
+
+	//Delete none existing reaction
+	req = NewRequestWithJSON(t, "DELETE", urlStr, &api.EditReactionOption{
+		Reaction: "eyes",
+	})
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	//Add allowed reaction
+	req = NewRequestWithJSON(t, "POST", urlStr, &api.EditReactionOption{
+		Reaction: "+1",
+	})
+	resp = session.MakeRequest(t, req, http.StatusCreated)
+	var apiNewReaction api.ReactionResponse
+	DecodeJSON(t, resp, &apiNewReaction)
+
+	//Add existing reaction
+	resp = session.MakeRequest(t, req, http.StatusForbidden)
+
+	//Get end result of reaction list of issue #1
+	req = NewRequestf(t, "GET", urlStr)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	var apiReactions []*api.ReactionResponse
+	DecodeJSON(t, resp, &apiReactions)
+	expectResponse := make(map[int]api.ReactionResponse)
+	expectResponse[0] = api.ReactionResponse{
+		User:     user2.APIFormat(),
+		Reaction: "laugh",
+		Created:  time.Unix(1573248004, 0),
+	}
+	expectResponse[1] = api.ReactionResponse{
+		User:     user1.APIFormat(),
+		Reaction: "laugh",
+		Created:  time.Unix(1573248005, 0),
+	}
+	expectResponse[2] = apiNewReaction
+	assert.Len(t, apiReactions, 3)
+	for i, r := range apiReactions {
+		assert.Equal(t, expectResponse[i].Reaction, r.Reaction)
+		assert.Equal(t, expectResponse[i].Created.Unix(), r.Created.Unix())
+		assert.Equal(t, expectResponse[i].User.ID, r.User.ID)
+	}
+}

integrations/benchmarks_test.go

@@ -25,7 +25,7 @@ func BenchmarkRepo(b *testing.B) {
 		{url: "https://github.com/golang/go.git", name: "go", skipShort: true},
 		{url: "https://github.com/torvalds/linux.git", name: "linux", skipShort: true},
 	}
-	prepareTestEnv(b)
+	defer prepareTestEnv(b)()
 	session := loginUser(b, "user2")
 	b.ResetTimer()
 
@@ -75,7 +75,7 @@ func StringWithCharset(length int, charset string) string {
 
 func BenchmarkRepoBranchCommit(b *testing.B) {
 	samples := []int64{1, 3, 15, 16}
-	prepareTestEnv(b)
+	defer prepareTestEnv(b)()
 	b.ResetTimer()
 
 	for _, repoID := range samples {

integrations/git_helper_for_declarative_test.go

@@ -78,7 +78,7 @@ func allowLFSFilters() []string {
 
 func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL), prepare ...bool) {
 	if len(prepare) == 0 || prepare[0] {
-		prepareTestEnv(t, 1)
+		defer prepareTestEnv(t, 1)()
 	}
 	s := http.Server{
 		Handler: mac,

integrations/gpg_git_test.go

@@ -23,7 +23,7 @@ import (
 )
 
 func TestGPGGit(t *testing.T) {
-	prepareTestEnv(t)
+	defer prepareTestEnv(t)()
 	username := "user2"
 
 	// OK Set a new GPG home

models/error.go

@@ -1121,6 +1121,21 @@ func (err ErrNewIssueInsert) Error() string {
 	return err.OriginalError.Error()
 }
 
+// ErrForbiddenIssueReaction is used when a forbidden reaction was try to created
+type ErrForbiddenIssueReaction struct {
+	Reaction string
+}
+
+// IsErrForbiddenIssueReaction checks if an error is a ErrForbiddenIssueReaction.
+func IsErrForbiddenIssueReaction(err error) bool {
+	_, ok := err.(ErrForbiddenIssueReaction)
+	return ok
+}
+
+func (err ErrForbiddenIssueReaction) Error() string {
+	return fmt.Sprintf("'%s' is not an allowed reaction", err.Reaction)
+}
+
 // __________      .__  .__ __________                                     __
 // \______   \__ __|  | |  |\______   \ ____  ________ __   ____   _______/  |_
 //  |     ___/  |  \  | |  | |       _// __ \/ ____/  |  \_/ __ \ /  ___/\   __\

models/fixtures/reaction.yml

@@ -1 +1,39 @@
-[] # empty
+-
+  id: 1 #issue reaction
+  type: zzz # not allowed reaction (added before allowed reaction list has changed)
+  issue_id: 1
+  comment_id: 0
+  user_id: 2
+  created_unix: 1573248001
+
+-
+  id: 2 #issue reaction
+  type: zzz # not allowed reaction (added before allowed reaction list has changed)
+  issue_id: 1
+  comment_id: 0
+  user_id: 1
+  created_unix: 1573248002
+
+-
+  id: 3 #issue reaction
+  type: eyes # allowed reaction
+  issue_id: 1
+  comment_id: 0
+  user_id: 2
+  created_unix: 1573248003
+
+-
+  id: 4 #comment reaction
+  type: laugh # allowed reaction
+  issue_id: 1
+  comment_id: 2
+  user_id: 2
+  created_unix: 1573248004
+
+-
+  id: 5 #comment reaction
+  type: laugh # allowed reaction
+  issue_id: 1
+  comment_id: 2
+  user_id: 1
+  created_unix: 1573248005

models/issue_reaction.go

@@ -33,16 +33,38 @@ type FindReactionsOptions struct {
 }
 
 func (opts *FindReactionsOptions) toConds() builder.Cond {
+	//If Issue ID is set add to Query
 	var cond = builder.NewCond()
 	if opts.IssueID > 0 {
 		cond = cond.And(builder.Eq{"reaction.issue_id": opts.IssueID})
 	}
+	//If CommentID is > 0 add to Query
+	//If it is 0 Query ignore CommentID to select
+	//If it is -1 it explicit search of Issue Reactions where CommentID = 0
 	if opts.CommentID > 0 {
 		cond = cond.And(builder.Eq{"reaction.comment_id": opts.CommentID})
+	} else if opts.CommentID == -1 {
+		cond = cond.And(builder.Eq{"reaction.comment_id": 0})
 	}
+
 	return cond
 }
 
+// FindCommentReactions returns a ReactionList of all reactions from an comment
+func FindCommentReactions(comment *Comment) (ReactionList, error) {
+	return findReactions(x, FindReactionsOptions{
+		IssueID:   comment.IssueID,
+		CommentID: comment.ID})
+}
+
+// FindIssueReactions returns a ReactionList of all reactions from an issue
+func FindIssueReactions(issue *Issue) (ReactionList, error) {
+	return findReactions(x, FindReactionsOptions{
+		IssueID:   issue.ID,
+		CommentID: -1,
+	})
+}
+
 func findReactions(e Engine, opts FindReactionsOptions) ([]*Reaction, error) {
 	reactions := make([]*Reaction, 0, 10)
 	sess := e.Where(opts.toConds())
@@ -77,6 +99,10 @@ type ReactionOptions struct {
 
 // CreateReaction creates reaction for issue or comment.
 func CreateReaction(opts *ReactionOptions) (reaction *Reaction, err error) {
+	if !setting.UI.ReactionsMap[opts.Type] {
+		return nil, ErrForbiddenIssueReaction{opts.Type}
+	}
+
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
@@ -160,6 +186,19 @@ func DeleteCommentReaction(doer *User, issue *Issue, comment *Comment, content s
 	})
 }
 
+// LoadUser load user of reaction
+func (r *Reaction) LoadUser() (*User, error) {
+	if r.User != nil {
+		return r.User, nil
+	}
+	user, err := getUserByID(x, r.UserID)
+	if err != nil {
+		return nil, err
+	}
+	r.User = user
+	return user, nil
+}
+
 // ReactionList represents list of reactions
 type ReactionList []*Reaction