From 82c3c11053bafeb0d54441f6a1c7310fb6ceb2cc Mon Sep 17 00:00:00 2001 From: Jonathan Miller <1+jmiller@noreply.git.mokoconsulting.tech> Date: Wed, 3 Jun 2026 00:15:06 +0000 Subject: [PATCH 1/2] chore: sync updates.xml 05.15.00 from main [skip ci] --- updates.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/updates.xml b/updates.xml index a2c9f97a77..1586f89ad0 100644 --- a/updates.xml +++ b/updates.xml @@ -1,7 +1,7 @@ @@ -87,15 +87,15 @@ mokogitea application site - 05.14.00 - 2026-05-31 - https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable + 05.15.00 + 2026-06-03 + https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable - https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.14.00.zip + https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.15.00.zip - bec4bf5a1a841f8e72d9826451004db5d8afc70144231dfedc7fb01a6695955c + 6b5884978a48db925b3554cc69aaa10cd65fee2bb404dab33c5c30aa3545ca33 stable - https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md + https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md Moko Consulting https://mokoconsulting.tech -- 2.52.0 From 44107d64850688377093a70f10096ae75da602a0 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Tue, 2 Jun 2026 20:26:17 -0500 Subject: [PATCH 2/2] docs: update CHANGELOG and wiki for v1.26.1-moko.06.02.00 final Changelog: comprehensive entry covering all features, security fixes, platform feeds, UI changes, and settings restructure. Wiki: all 7 platform feeds now listed as Production. Revision 1.5 added covering sub-orgs, visibility modes, settings pages, and security hardening. Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 42 ++++++++++++++++++++++++++++++++------ wiki/license-management.md | 10 +++++---- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26ff1a9142..11b78462e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,11 +10,11 @@ been added to each release, please refer to the [blog](https://blog.gitea.com). * Package archiving with soft-delete and collapsible archived section * Search keys by customer, domain, key number, email, or payment ref * Download gating (none/prerelease/all modes) - * Feed visibility (public/no-download/hidden modes) * Domain lock grace period (DomainLockHours) * RepoScope enforcement — packages scoped to specific repos + * Configurable license key prefix per organization + * Manual release-to-stream mapping with UI selector * Joomla changelog XML endpoint (/changelog.xml) - * WordPress PUC-compatible update feed (/updates/wordpress.json) * SHA256 checksums from sidecar files in Joomla updates.xml * Joomla-standard tag values (dev/alpha/beta/rc/stable) * Double confirmation modals for permanent deletion @@ -23,12 +23,42 @@ been added to each release, please refer to the [blog](https://blog.gitea.com). * API: package CRUD, key revoke, key renew, settings GET/PUT * API: purchase webhook with PaymentRef idempotency * API: public validation endpoint (no auth) - * Migration v340: all new columns synced - * feat(updates): infourl defaults to release listing page + * Migration v340-v342: all new columns synced + * feat(updates): 7 platform update feeds + * Joomla XML with downloadkey, SHA256, changelog URL + * Dolibarr JSON with channel filtering + * WordPress PUC-compatible JSON (plugin-update-checker) + * Composer packages.json + * PrestaShop module update XML + * Drupal update status XML + * WHMCS module update JSON + * feat(updates): feed always public — downloads gated separately + * feat(updates): stream-name tags supported alongside version tags + * feat(updates): version extraction via regex from release titles + * feat(updates): infourl defaults to release listing / support URL * feat(updates): downloadkey prefix matches Akeeba pattern (dlid=) + * feat(orgs): enterprise sub-org hierarchy with parent-child relationships + * feat(repos): three-level visibility — Public (200), Private (403), Hidden (404) + * feat(settings): separate licensing settings page (/settings/licensing) + * feat(settings): advanced settings on dedicated page (/settings/advanced) + * feat(settings): section headers with dividers and icons + * feat(ui): icons on all settings navbars (repo, org, user, admin) + * feat(ui): styled 403 Access Denied page with inline login form + * feat(ui): open-in-new-tab button on feed URLs +* SECURITY + * fix(security): ownership guards on all API handlers (cross-org prevention) + * fix(security): RepoScope JSON parsing (substring matching bug) + * fix(security): CSRF tokens in delete confirmation modals + * fix(security): XSS escaping in WordPress changelog HTML + * fix(security): require login for licenses and actions pages + * fix(security): 403 for all users on private repos (not 404) + * fix(security): licensed private repos allow release viewing for signed-in users + * fix(security): anonymous download access respects download_gating setting +* FIXES * fix(licenses): expanded delete permissions to org owners + site admins - * fix(licenses): no-download mode shows release notes but hides files - * fix(licenses): releases require login in hidden feed visibility mode + * fix(licenses): explicit xorm column names for UpdateStreamConfig fields + * fix(licenses): feed always public when licensing enabled + * fix(build): permanent fixes for AI migration, feed/file.go, unused imports ## [v1.26.1-moko.05.15.00] - 2026-05-31 diff --git a/wiki/license-management.md b/wiki/license-management.md index 4ce58f6baf..2a30fe856b 100644 --- a/wiki/license-management.md +++ b/wiki/license-management.md @@ -426,10 +426,11 @@ The update feed system currently supports: | **Joomla** | `/{repo}/updates.xml` | XML with `` | Production | | **Dolibarr** | `/{repo}/updates/dolibarr.json` | JSON | Production | | **WordPress** | `/{repo}/updates/wordpress.json` | PUC-compatible JSON | Production | -| **Drupal** | Planned | XML/JSON | Planned (#353) | -| **PrestaShop** | Planned | XML | Planned (#352) | -| **Composer** | Planned | packages.json | Planned (#354) | -| **WHMCS** | Planned | Custom | Planned (#355) | +| **Composer** | `/{repo}/updates/packages.json` | packages.json | Production | +| **PrestaShop** | `/{repo}/updates/prestashop.xml` | Module update XML | Production | +| **Drupal** | `/{repo}/updates/drupal.xml` | Update status XML | Production | +| **WHMCS** | `/{repo}/updates/whmcs.json` | Module update JSON | Production | +| **Changelog** | `/{repo}/changelog.xml` | Joomla changelog XML | Production | All platforms share the same licensing backend — the same keys, packages, and validation work across all feed formats. @@ -444,3 +445,4 @@ All platforms share the same licensing backend — the same keys, packages, and | 1.2 | 2026-05-31 | Jonathan Miller (@jmiller) | Add permissions (TypeLicenses unit), renewal, auto-domain, custom keys, UI/UX cleanup | | 1.3 | 2026-06-01 | Jonathan Miller (@jmiller) | Add package archiving, expanded delete permissions, migration v340, API renew, step-by-step guides | | 1.4 | 2026-06-02 | Jonathan Miller (@jmiller) | WordPress feed, feed visibility modes, download gating, RepoScope enforcement, API package CRUD, settings API, combolist channel picker, double confirmation modals, extension metadata in repo settings, domain lock timer, Joomla-standard tags, SHA256 in XML, changelog XML, no-download release page mode | +| 1.5 | 2026-06-02 | Jonathan Miller (@jmiller) | All 7 platform feeds (Composer, PrestaShop, Drupal, WHMCS), enterprise sub-org hierarchy, three-level repo visibility (Public/Private/Hidden), styled 403 page with login form, separate licensing/advanced settings pages, icons on all navbars, manual stream mapping, configurable key prefix, feed always public, xorm column name fixes, security hardening | -- 2.52.0