- 14 Dec, 2016 8 commits
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Filter `incoming_email_token` and `runners_token` parameters Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676 See merge request !2045 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Sean McGivern authored
Issue#visible_to_user moved to IssuesFinder Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637. See merge request !2039 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Fix missing Note access checks in by moving Note#search to updated NoteFinder See merge request !2035 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Sean McGivern authored
API: Memoize the current_user so that the sudo can work properly Closes #25482 See merge request !8017 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 08 Dec, 2016 4 commits
-
-
Alejandro Rodríguez authored
-
Alejandro Rodríguez authored
[ci skip]
-
Douwe Maan authored
Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. Closes #24537 See merge request !7615 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Sean McGivern authored
Make the `downtime_check` task happy See merge request !7845 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 07 Dec, 2016 1 commit
-
-
Douwe Maan authored
Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested ### MR lookup from project - [x]💣 app/finders/notes_finder.rb:17 - [x]⚠ app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x]💣 app/controllers/concerns/creates_commit.rb:84 - [x]🚥 app/controllers/projects/commits_controller.rb:24 - [x]🚥 app/controllers/projects/compare_controller.rb:56 - [x]🚦 app/controllers/projects/discussions_controller.rb:29 - [x]✅ app/controllers/projects/todos_controller.rb:27 - [x]🚦 app/models/commit.rb:268 - [x]✅ lib/gitlab/search_results.rb:71 ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033
-
- 02 Dec, 2016 4 commits
-
-
Alejandro Rodríguez authored
-
Alejandro Rodríguez authored
[ci skip]
-
Sean McGivern authored
Create tag after running pre-hooks and pass updated SHA to post-hooks Closes #24813 See merge request !7700 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Ensure state param has a valid value when filtering issuables. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 This fix makes sure we only call safe methods on issuable when filtering by state. See merge request !2038
-
- 28 Nov, 2016 2 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
- 25 Nov, 2016 1 commit
-
-
Robert Speicher authored
Update grape-entity to 0.6.0 See merge request !7491 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 24 Nov, 2016 5 commits
-
-
Douwe Maan authored
Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x]🚦 app/finders/notes_finder.rb:15 [`visible_to_user`] - [x]🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x]✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x]✅ lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x]✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x]✅ lib/gitlab/search_results.rb:53 [`visible_to_user`] - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031 Signed-off-by: Rémy Coutable <remy@rymai.me> -
Douwe Maan authored
Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested ### Issue lookup without access check (security) - [x]✅ app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x]🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] - [x]✅ app/controllers/projects/todos_controller.rb:19 ### Code smells - [x] Potential double render in app/controllers/projects/todos_controller.rb ### Previous discussions - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 -
Douwe Maan authored
Fix information disclosure in `Projects::BlobController#update` ## What does this MR do? It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that. ## Does this MR meet the acceptance criteria? - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/22869 See merge request !2023 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Fix label creation non members Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416 See merge request !2006
-
Douwe Maan authored
500 error on project show when user is not logged in and project is still empty ## What does this MR do? Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show ## Screenshots (if relevant) When the project is empty and the user is not logged in we default to the empty project partial instead of readme. ![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png) ## Does this MR meet the acceptance criteria? - [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [x] API support added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? Closes #23990 See merge request !7376
-
- 22 Nov, 2016 2 commits
-
-
Achilleas Pipinellis authored
Backport JIRA api docs to 8-13-stable We need to backport the JIRA API docs that were until recently on master to 8-13-stable also. With 8.14 we simplified the way JIRA is configured and we need a link to point to the old docs. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471 See merge request !7677
-
Achilleas Pipinellis authored
[ci skip]
-
- 17 Nov, 2016 6 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Robert Speicher authored
Allow commit note to be visible if repo is visible ## What does this MR do? It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes. Closes #23824 See merge request !7504
-
Sean McGivern authored
Limit labels returned for a specific project as an administrator Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527 See merge request !7496
-
- 16 Nov, 2016 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 15 Nov, 2016 6 commits
-
-
Douwe Maan authored
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController` ## What does this MR do? Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController` It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only). cc @stanhu @ahanselka ## Why was this MR needed? Errors shown here: gitlab-org/gitlab-ce#24392 Discovered thanks to gitlab-com/infrastructure#302 ## What are the relevant issue numbers? Fixes #24392 Fixes gitlab-com/support-forum#1280 See merge request !7417
-
Sean McGivern authored
Ensure labels are loaded for all "show" methods of MR Controller Closes #24397 See merge request !7416
-
Rémy Coutable authored
Fix cache for commit status in commits list to respect branches Fix cache for commit status in commits list to respect branches Closes #24324 See merge request !7372
-
Robert Speicher authored
Clicking "force remove source branch" label now toggles the checkbox again We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]` in order to fix the checkbox toggling when the associated label is clicked. The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311. See merge request !7356
-
Yorick Peterse authored
Split out markdown cache storage into a separate method See merge request !7277
-
Sean McGivern authored
Fix no "Register" tab if ldap auth is enabled (#24038) Closes #24038 See merge request !7274
-