Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4724afa0
Commit
4724afa0
authored
Jan 15, 2019
by
Jasper Maes
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Actually set raise_on_unfiltered_parameters to true
parent
c46b8e96
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
28 additions
and
7 deletions
+28
-7
app/controllers/projects/lfs_locks_api_controller.rb
app/controllers/projects/lfs_locks_api_controller.rb
+7
-3
app/helpers/members_helper.rb
app/helpers/members_helper.rb
+1
-1
app/services/projects/create_from_template_service.rb
app/services/projects/create_from_template_service.rb
+1
-1
changelogs/unreleased/raise-on-unfiltered-params.yml
changelogs/unreleased/raise-on-unfiltered-params.yml
+5
-0
config/application.rb
config/application.rb
+3
-0
config/initializers/new_framework_defaults.rb
config/initializers/new_framework_defaults.rb
+0
-2
spec/requests/lfs_locks_api_spec.rb
spec/requests/lfs_locks_api_spec.rb
+11
-0
No files found.
app/controllers/projects/lfs_locks_api_controller.rb
View file @
4724afa0
...
@@ -4,19 +4,19 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
...
@@ -4,19 +4,19 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
include
LfsRequest
include
LfsRequest
def
create
def
create
@result
=
Lfs
::
LockFileService
.
new
(
project
,
user
,
params
).
execute
@result
=
Lfs
::
LockFileService
.
new
(
project
,
user
,
lfs_
params
).
execute
render_json
(
@result
[
:lock
])
render_json
(
@result
[
:lock
])
end
end
def
unlock
def
unlock
@result
=
Lfs
::
UnlockFileService
.
new
(
project
,
user
,
params
).
execute
@result
=
Lfs
::
UnlockFileService
.
new
(
project
,
user
,
lfs_
params
).
execute
render_json
(
@result
[
:lock
])
render_json
(
@result
[
:lock
])
end
end
def
index
def
index
@result
=
Lfs
::
LocksFinderService
.
new
(
project
,
user
,
params
).
execute
@result
=
Lfs
::
LocksFinderService
.
new
(
project
,
user
,
lfs_
params
).
execute
render_json
(
@result
[
:locks
])
render_json
(
@result
[
:locks
])
end
end
...
@@ -69,4 +69,8 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
...
@@ -69,4 +69,8 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
def
upload_request?
def
upload_request?
%w(create unlock verify)
.
include?
(
params
[
:action
])
%w(create unlock verify)
.
include?
(
params
[
:action
])
end
end
def
lfs_params
params
.
permit
(
:id
,
:path
,
:force
)
end
end
end
app/helpers/members_helper.rb
View file @
4724afa0
...
@@ -32,7 +32,7 @@ module MembersHelper
...
@@ -32,7 +32,7 @@ module MembersHelper
end
end
def
filter_group_project_member_path
(
options
=
{})
def
filter_group_project_member_path
(
options
=
{})
options
=
params
.
slice
(
:search
,
:sort
).
merge
(
options
)
options
=
params
.
slice
(
:search
,
:sort
).
merge
(
options
)
.
permit!
"
#{
request
.
path
}
?
#{
options
.
to_param
}
"
"
#{
request
.
path
}
?
#{
options
.
to_param
}
"
end
end
end
end
app/services/projects/create_from_template_service.rb
View file @
4724afa0
...
@@ -5,7 +5,7 @@ module Projects
...
@@ -5,7 +5,7 @@ module Projects
include
Gitlab
::
Utils
::
StrongMemoize
include
Gitlab
::
Utils
::
StrongMemoize
def
initialize
(
user
,
params
)
def
initialize
(
user
,
params
)
@current_user
,
@params
=
user
,
params
.
dup
@current_user
,
@params
=
user
,
params
.
to_h
.
dup
end
end
def
execute
def
execute
...
...
changelogs/unreleased/raise-on-unfiltered-params.yml
0 → 100644
View file @
4724afa0
---
title
:
Actually set raise_on_unfiltered_parameters to
true
merge_request
:
24443
author
:
Jasper Maes
type
:
other
config/application.rb
View file @
4724afa0
...
@@ -162,6 +162,9 @@ module Gitlab
...
@@ -162,6 +162,9 @@ module Gitlab
config
.
action_view
.
sanitized_allowed_protocols
=
%w(smb)
config
.
action_view
.
sanitized_allowed_protocols
=
%w(smb)
# Can be removed once upgraded to Rails 5.1 or higher
config
.
action_controller
.
raise_on_unfiltered_parameters
=
true
# Nokogiri is significantly faster and uses less memory than REXML
# Nokogiri is significantly faster and uses less memory than REXML
ActiveSupport
::
XmlMini
.
backend
=
'Nokogiri'
ActiveSupport
::
XmlMini
.
backend
=
'Nokogiri'
...
...
config/initializers/new_framework_defaults.rb
View file @
4724afa0
...
@@ -8,8 +8,6 @@
...
@@ -8,8 +8,6 @@
#
#
# Read the Guide for Upgrading Ruby on Rails for more info on each option.
# Read the Guide for Upgrading Ruby on Rails for more info on each option.
Rails
.
application
.
config
.
action_controller
.
raise_on_unfiltered_parameters
=
true
# Enable per-form CSRF tokens. Previous versions had false.
# Enable per-form CSRF tokens. Previous versions had false.
Rails
.
application
.
config
.
action_controller
.
per_form_csrf_tokens
=
false
Rails
.
application
.
config
.
action_controller
.
per_form_csrf_tokens
=
false
...
...
spec/requests/lfs_locks_api_spec.rb
View file @
4724afa0
...
@@ -132,6 +132,17 @@ describe 'Git LFS File Locking API' do
...
@@ -132,6 +132,17 @@ describe 'Git LFS File Locking API' do
expect
(
json_response
[
'lock'
].
keys
).
to
match_array
(
%w(id path locked_at owner)
)
expect
(
json_response
[
'lock'
].
keys
).
to
match_array
(
%w(id path locked_at owner)
)
end
end
context
'when a maintainer uses force'
do
let
(
:authorization
)
{
authorize_user
(
maintainer
)
}
it
'deletes the lock'
do
project
.
add_maintainer
(
maintainer
)
post_lfs_json
url
,
{
force:
true
},
headers
expect
(
response
).
to
have_gitlab_http_status
(
200
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment