- Add security headers:
- X-Frame-Options
- X-Content-Type-Options
- Content-Security-Policy
- Permissions-Policy
- Do not send server information header
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
This fixes errors when deleting configurations.
The error occured during "unmirror" in the mirror plugin.
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
The new implementations are ment to be used in test
classes replacing the older implementations like
`InMemoryConfigurationStoreFactory`. The benefit
of these new classes is that the serialization using JaxB
is testet implicitly avoiding mistakes made with XML
annotations on the data classes.
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
If anonymous access is enabled and read requests are granted
to hg repositories for the anonymous user, write requests
fail also for users with write requests, because no
authentication header has been sent along with the 401.
This fixes this issue in the default cgi servlet.
There may be a race condition when loading plugin bundles with lazy dependencies:
The OpenAPI plugin depends on "redux" and "react-redux", which are bundled in the lazy "ui-legacy" module, as the usage of redux is deprecated in the scmm. The "ui-legacy" module also binds a global wrapper extension point around the whole app. Due to a bug in the plugin loader, plugin bundles were marked as successfully loaded even if a lazy dependency hadn't successfully loaded yet. This caused the extension point from the "ui-legacy" bundle to be bound after the initial render. As the process of extension point binding doesn't trigger a re-render, the redux provider was not wrapped around the app on initial load. When the user now moved focus out of and back into the window, react-query hooks automatically refetched e.g. the index links, which caused a re-render. Now with the bound extension point applied. This caused the whole app to be unmounted and re-mounted, which in turn reset all form fields anywhere below in the tree.
Also fixes a bug where the global notifications component was executing a state update while already unmounted.
Also fixes a bug in the user creation form where an object literal was passed to the form's default values which caused a form reset whenever the component re-rendered.
Committed-by: Rene Pfeuffer <rene.pfeuffer@cloudogu.com>
The git mirror command did not set the default branch correctly in all cases. If the source repository contained a 'master' branch, no default branch was set. This led to an error in the refresh process, when globally another branch has been configured as dafault (when not changed, this is 'main'), because the working copy should be created with the main branch checked out. Because no default was specified, the globally configured default (by default 'main') had been taken and that branch does not exist in the mirror.
So all subsequent mirror updates failed with a message like this one:
could not find branch with id main in repository with id ...
With this fix, the default branch is always set in the SCM-Manager configuration for the repository and therefore cannot be missing in subsequent updates.
Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
Make the plugin manager functions more clear and improve the usability by using a sticky top area with action buttons.
Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Use standard configuration store api for general configuration. This is best practice and also required for the audit log to work properly.
Besides that we still need to load the general configuration manually for the instance injection binding in ScmServletModules. Since the instance injection does not resolve the bindings regularly we need also still need to update the injectable scm config using the "load" hack in the resource.
Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Changes made by the SCM-Manager, like those through the editor and pull requests, now more accurately define the committer on the underlying changeset.
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
The validation for branch and tag names has been
too limited. This led to errors in the frontend for
branches, that had been created using the
cli tools for git or hg but have not been seen as
valid by SCM-Manager.
To fix this, the patterns to validate branch and
tag names are relaxed and relate to the git
rules (https://git-scm.com/docs/git-check-ref-format).
Because these rules could not be expressed
using regular expressions alone, in addition
possible exceptions will be handled in the
git branch and tag commands.
Committed-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
Co-authored-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
