mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-18 22:40:38 +02:00
7ce74a31e2
This PR fixes an issue where forked `.profile` repositories were unexpectedly displaying profile content on user profile pages. The fix ensures that only regular `.profile` repositories (not forks) are used to populate user profiles. Fixes #9235 ### Problem When a user forked a repository named `.profile` without having created their own `.profile` repository, the content from the forked repository was unexpectedly displayed on their public profile page. This could lead to users' profiles displaying content they did not intentionally create for that purpose. This issue was particularly problematic on instances where users had repository creation limits (-1) and would inappropriately use forked `.profile` repositories to obtain profile customization. ### Solution Modified the `FindUserProfileReadme()` function in `routers/web/shared/user/header.go` to check if the `.profile` repository is a fork (`profileDbRepo.IsFork`) and return early if it is, preventing forked repositories from being used for profile content. **For existing users:** - Users with forked `.profile` repositories will no longer see unexpected profile content - No action required unless they want to keep the content **For users who want to use forked content:** - Can convert the fork to a regular repository in Repository Settings → "Danger Zone" → "Convert fork" - This preserves the content while making it available for profile display ### Testing - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). **Tests:** Added comprehensive integration test `forked-profile-repo` that verifies: - Original `.profile` repositories still work correctly - Forked `.profile` repositories do not display profile content - Forked repositories remain accessible via direct repository URLs - Fork relationships are maintained correctly ### Documentation - [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. Docs PR is here: https://codeberg.org/forgejo/docs/pulls/1525 ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Release Notes available at `release-notes/9235.md` --- More at: https://codeberg.org/fedora/forgejo-deployment/issues/167 <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/9513): <!--number 9513 --><!--line 0 --><!--description Zml4ITogUHJldmVudCBmb3JrZWQgYC5wcm9maWxlYCByZXBvc2l0b3JpZXMgZnJvbSBkaXNwbGF5aW5nIHByb2ZpbGUgY29udGVudC4gV2hlbiBhIHVzZXIgZm9ya2VkIGEgcmVwb3NpdG9yeSBuYW1lZCBgLnByb2ZpbGVgIHdpdGhvdXQgaGF2aW5nIGNyZWF0ZWQgdGhlaXIgb3duIGAucHJvZmlsZWAgcmVwb3NpdG9yeSwgdGhlIGNvbnRlbnQgZnJvbSB0aGUgZm9ya2VkIHJlcG9zaXRvcnkgd2FzIHVuZXhwZWN0ZWRseSBkaXNwbGF5ZWQgb24gdGhlaXIgcHVibGljIHByb2ZpbGUgcGFnZS4gVGhpcyBjb3VsZCBsZWFkIHRvIHVzZXJzJyBwcm9maWxlcyBkaXNwbGF5aW5nIGNvbnRlbnQgdGhleSBkaWQgbm90IGludGVudGlvbmFsbHkgY3JlYXRlIGZvciB0aGF0IHB1cnBvc2UuIEZvcmtlZCBgLnByb2ZpbGVgIHJlcG9zaXRvcmllcyBhcmUgbm93IHRyZWF0ZWQgYXMgc3RhbmRhcmQgcmVwb3NpdG9yaWVzIGFuZCBkbyBub3QgcG9wdWxhdGUgdGhlIHVzZXIncyBwdWJsaWMgcHJvZmlsZSBwYWdlLiBVc2VycyB3aG8gd2lzaCB0byB1c2UgdGhlIGNvbnRlbnQgZnJvbSBhIGZvcmtlZCBgLnByb2ZpbGVgIHJlcG9zaXRvcnkgY2FuIGNvbnZlcnQgdGhlIGZvcmsgdG8gYSByZWd1bGFyIHJlcG9zaXRvcnkgaW4gdGhlICJEYW5nZXIgWm9uZSIgc2VjdGlvbiBvZiBSZXBvc2l0b3J5IHNldHRpbmdzLiBUaGlzIGlzc3VlIHdhcyBwYXJ0aWN1bGFybHkgcHJvYmxlbWF0aWMgb24gaW5zdGFuY2VzIHdoZXJlIHVzZXJzIGhhZCByZXBvc2l0b3J5IGNyZWF0aW9uIGxpbWl0cyAoLTEpIGFuZCB3b3VsZCBpbmFwcHJvcHJpYXRlbHkgdXNlIGZvcmtlZCBgLnByb2ZpbGVgIHJlcG9zaXRvcmllcyB0byBvYnRhaW4gcHJvZmlsZSBjdXN0b21pemF0aW9uLiA=-->fix!: Prevent forked `.profile` repositories from displaying profile content. When a user forked a repository named `.profile` without having created their own `.profile` repository, the content from the forked repository was unexpectedly displayed on their public profile page. This could lead to users' profiles displaying content they did not intentionally create for that purpose. Forked `.profile` repositories are now treated as standard repositories and do not populate the user's public profile page. Users who wish to use the content from a forked `.profile` repository can convert the fork to a regular repository in the "Danger Zone" section of Repository settings. This issue was particularly problematic on instances where users had repository creation limits (-1) and would inappropriately use forked `.profile` repositories to obtain profile customization.<!--description--> <!--end release-notes-assistant--> Co-authored-by: mfenniak <mfenniak@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9513 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Ryan Lerch <rlerch@redhat.com> Co-committed-by: Ryan Lerch <rlerch@redhat.com>
873 B
873 B
fix!: Prevent forked .profile repositories from displaying profile content. When a user forked a repository named .profile without having created their own .profile repository, the content from the forked repository was unexpectedly displayed on their public profile page. This could lead to users' profiles displaying content they did not intentionally create for that purpose. Forked .profile repositories are now treated as standard repositories and do not populate the user's public profile page. Users who wish to use the content from a forked .profile repository can convert the fork to a regular repository in the "Danger Zone" section of Repository settings. This issue was particularly problematic on instances where users had repository creation limits (-1) and would inappropriately use forked .profile repositories to obtain profile customization.