An error occurred fetching the project authors.
- 28 Sep, 2017 1 commit
-
-
Markus Koller authored
-
- 26 Sep, 2017 1 commit
-
-
Tiago Botelho authored
-
- 18 Sep, 2017 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Sep, 2017 2 commits
-
-
Robert Schilling authored
-
Robert Schilling authored
-
- 28 Aug, 2017 1 commit
-
-
Robert Schilling authored
-
- 11 Aug, 2017 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 01 Aug, 2017 1 commit
-
-
Lin Jen-Shin (godfat) authored
-
- 25 Jul, 2017 1 commit
-
-
Lin Jen-Shin authored
-
- 12 Jul, 2017 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 11 Jul, 2017 1 commit
-
-
Paul Charlton authored
-
- 07 Jul, 2017 3 commits
-
-
James Lopez authored
-
James Lopez authored
-
James Lopez authored
-
- 05 Jul, 2017 1 commit
-
-
Timothy Andrew authored
- The `/users` and `/users/:id` APIs are now accessible without authentication (!12445), and so scopes are not relevant for these endpoints. - Previously, we were testing our scope declaration against these two methods. This commit moves these tests to other `GET` user endpoints which still require authentication.
-
- 04 Jul, 2017 1 commit
-
-
Timothy Andrew authored
- Rather than using an explicit check to turn off authentication for the `/users` endpoint, simply call `authenticate_non_get!`. - All `GET` endpoints we wish to restrict already call `authenticated_as_admin!`, and so remain inacessible to anonymous users. - This _does_ open up the `/users/:id` endpoint to anonymous access. It contains the same access check that `/users` users, and so is safe for use here. - More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
-
- 30 Jun, 2017 1 commit
-
-
Timothy Andrew authored
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE.
-
- 28 Jun, 2017 3 commits
-
-
Timothy Andrew authored
- Test `GET` endpoints to check that the scope is allowed. - Test `POST` endpoints to check that the scope is disallowed. - Test both `v3` and `v4` endpoints.
-
Timothy Andrew authored
- Scope declarations of the form: allow_access_with_scope :read_user, if: -> (request) { request.get? } will only apply for `GET` requests - Add a negative test to a `POST` endpoint in the `users` API to test this. Also test for this case in the `AccessTokenValidationService` unit tests.
-
Timothy Andrew authored
- Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
-
- 26 Jun, 2017 1 commit
-
-
Timothy Andrew authored
- The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)`
-
- 23 Jun, 2017 3 commits
-
-
James Lopez authored
-
James Lopez authored
-
James Lopez authored
-
- 21 Jun, 2017 1 commit
-
-
Grzegorz Bizon authored
-
- 20 Jun, 2017 1 commit
-
-
Mike Ricketts authored
-
- 16 Jun, 2017 1 commit
-
-
vanadium23 authored
-
- 14 Jun, 2017 1 commit
-
-
Robert Speicher authored
-
- 06 Jun, 2017 2 commits
-
-
-
Mark Fletcher authored
* Meld the following disparate endpoints: * `/projects/:id/events` * `/events` * `/users/:id/events` + Add result filtering to the above endpoints: * action * target_type * before and after dates
-
- 02 Jun, 2017 1 commit
-
-
Nick Thomas authored
-
- 24 May, 2017 3 commits
-
-
Douwe Maan authored
This reverts commit b0498c17
-
Douwe Maan authored
-
Douwe Maan authored
-
- 25 Apr, 2017 1 commit
-
-
Timothy Andrew authored
- To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
-
- 21 Apr, 2017 1 commit
-
-
Jacopo authored
Removed all the unnecessary include of `WaitForAjax` and `ApiHelpers` in the specs. Removed unnecessary usage of `api:true`
-
- 18 Apr, 2017 1 commit
-
-
Robin Bobbitt authored
-
- 14 Apr, 2017 2 commits
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Sean McGivern authored
CE port of https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/962
-
- 02 Apr, 2017 1 commit
-
-
Stan Hu authored
-