An error occurred fetching the project authors.
  1. 01 Sep, 2016 1 commit
  2. 24 Aug, 2016 1 commit
  3. 17 Aug, 2016 1 commit
  4. 12 Aug, 2016 1 commit
  5. 09 Aug, 2016 1 commit
  6. 04 Aug, 2016 1 commit
  7. 02 Aug, 2016 1 commit
  8. 19 Jul, 2016 1 commit
  9. 18 Jul, 2016 4 commits
  10. 15 Jul, 2016 1 commit
  11. 12 Jul, 2016 1 commit
  12. 07 Jul, 2016 1 commit
    • Dravere's avatar
      Added setting to set new users by default as external · a0a9494e
      Dravere authored
      As requested by the issue #14508 this adds an option in the application
      settings to set newly registered users by default as external. The
      default setting is set to false to stay backward compatible.
      a0a9494e
  13. 24 Jun, 2016 1 commit
    • Rémy Coutable's avatar
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      aec3475d
  14. 07 Jun, 2016 8 commits
  15. 06 Jun, 2016 1 commit
    • Timothy Andrew's avatar
      Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew authored
      - To hold registrations from U2F devices, and to authenticate them.
      - Previously, `User#two_factor_enabled` was aliased to the
        `otp_required_for_login` column on `users`.
      - This commit changes things a bit:
          - `User#two_factor_enabled` is not a method anymore
          - `User#two_factor_enabled?` checks both the
            `otp_required_for_login` column, as well as `U2fRegistration`s
          - Change all instances of `User#two_factor_enabled` to
            `User#two_factor_enabled?`
      - Add the `u2f` gem, and implement registration/authentication at the
        model level.
      791cc913
  16. 03 Jun, 2016 2 commits
  17. 28 May, 2016 1 commit
  18. 16 May, 2016 1 commit
  19. 11 May, 2016 1 commit
  20. 10 May, 2016 2 commits
    • Sean McGivern's avatar
      Restrict starred projects to viewable ones · 97424ea5
      Sean McGivern authored
      `User#starred_projects` doesn't perform any visibility checks. This has
      a couple of problems:
      
      1. It assumes a user can always view all of their starred projects in
         perpetuity (project not changed to private, access revoked, etc.).
      2. It assumes that we'll only ever allow a user to star a project they
         can view. This is currently the case, but bugs happen.
      
      Add `User#viewable_starred_projects` to filter the starred projects by
      those the user either has explicit access to, or are public or
      internal. Then use that in all places where we list the user's starred
      projects.
      97424ea5
    • Zeger-Jan van de Weg's avatar
      dccf8a9f
  21. 09 May, 2016 1 commit
  22. 31 Mar, 2016 1 commit
  23. 15 Mar, 2016 1 commit
  24. 13 Mar, 2016 2 commits
  25. 11 Mar, 2016 2 commits
  26. 29 Feb, 2016 1 commit