From a5d0246fff8e95ed750d44b8a2d1c633e0fc9ef3 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Mon, 19 Jun 2023 00:10:44 +0800
Subject: [PATCH] Avoid polluting the config (#25345)

Caught by #25330

Co-authored-by: Giteabot <teabot@gitea.io>
---
 modules/setting/mirror.go  |  2 +-
 modules/setting/oauth2.go  | 24 +++++++++++++-----------
 modules/setting/setting.go |  2 +-
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/modules/setting/mirror.go b/modules/setting/mirror.go
index cd6b8d4562..3aa530a1f4 100644
--- a/modules/setting/mirror.go
+++ b/modules/setting/mirror.go
@@ -30,7 +30,7 @@ func loadMirrorFrom(rootCfg ConfigProvider) {
 	// DEPRECATED should not be removed because users maybe upgrade from lower version to the latest version
 	// if these are removed, the warning will not be shown
 	deprecatedSetting(rootCfg, "repository", "DISABLE_MIRRORS", "mirror", "ENABLED", "v1.19.0")
-	if rootCfg.Section("repository").Key("DISABLE_MIRRORS").MustBool(false) {
+	if ConfigSectionKeyBool(rootCfg.Section("repository"), "DISABLE_MIRRORS") {
 		Mirror.DisableNewPull = true
 	}
 
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 4dab468c10..836a2bb25f 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -120,18 +120,20 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
 	}
 
-	key := make([]byte, 32)
-	n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
-	if err != nil || n != 32 {
-		key, err = generate.NewJwtSecret()
-		if err != nil {
-			log.Fatal("error generating JWT secret: %v", err)
-		}
+	if InstallLock {
+		key := make([]byte, 32)
+		n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
+		if err != nil || n != 32 {
+			key, err = generate.NewJwtSecret()
+			if err != nil {
+				log.Fatal("error generating JWT secret: %v", err)
+			}
 
-		secretBase64 := base64.RawURLEncoding.EncodeToString(key)
-		rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
-		if err := rootCfg.Save(); err != nil {
-			log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
+			secretBase64 := base64.RawURLEncoding.EncodeToString(key)
+			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
+			if err := rootCfg.Save(); err != nil {
+				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
+			}
 		}
 	}
 }
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 293333a95b..539eb4b197 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -262,7 +262,7 @@ func loadRunModeFrom(rootCfg ConfigProvider) {
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())
 	// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
 	// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
-	unsafeAllowRunAsRoot := rootSec.Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
+	unsafeAllowRunAsRoot := ConfigSectionKeyBool(rootSec, "I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")
 	RunMode = os.Getenv("GITEA_RUN_MODE")
 	if RunMode == "" {
 		RunMode = rootSec.Key("RUN_MODE").MustString("prod")