Merge remote-tracking branch 'upstream/master' into 8998_skip_pending_commits_if_not_head

* upstream/master: (64 commits) Merge branch 'open-redirect-fix-continue-to' into 'security' Merge branch 'open-redirect-host-fix' into 'security' Merge branch 'path-disclosure-proj-import-export' into 'security' Merge branch '29364-private-projects-mr-fix' Merge branch '30125-markdown-security' Issue title realtime Update CHANGELOG.md for 8.16.9 Update CHANGELOG.md for 8.17.5 Update CHANGELOG.md for 9.0.4 Add "search" optional param and docs for V4 Use PDFLab to render PDFs in GitLab Separate Scala from Java in CI examples Fix broken link Reorganize CI examples, add more links Refactor CI index page Remove deprecated field from workhorse response Use gitlab-workhorse 1.4.3 Document how ETag caching middleware handles query parameters Make group skip validation in the frontend Use NamespaceValidator::WILDCARD_ROUTES in ETag caching middleware ...
author: Lin Jen-Shin <godfat@godfat.org> 2017-04-06 14:34:52 +0800
committer: Lin Jen-Shin <godfat@godfat.org> 2017-04-06 14:34:52 +0800
commit: ec3a50f1f2065f185106fd19fcbb64aac38b6f2d (patch)
tree: 0840772fa6ae7184521e4f9f1f697662d9f9029f /app/controllers
parent: f7014cd5bc776f9829818e535baf9db70387a416 (diff)
parent: aaa49c2c4e9473726814e3ce183c2e3e4072d64b (diff)
download: gitlab-ce-ec3a50f1f2065f185106fd19fcbb64aac38b6f2d.tar.gz
6 files changed, 31 insertions, 14 deletions
diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb
index 0a995c45bdf..eb3a623acdd 100644
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams
 
     continue_params = continue_params.permit(:to, :notice, :notice_now)
     return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')
 
     continue_params
   end
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index 498690e8f11..4d7d45787fc 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -7,7 +7,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
     @sort = params[:sort]
     @todos = @todos.page(params[:page])
     if @todos.out_of_range? && @todos.total_pages != 0
-      redirect_to url_for(params.merge(page: @todos.total_pages))
+      redirect_to url_for(params.merge(page: @todos.total_pages, only_path: true))
     end
   end
 
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index c411c21bb80..8b69c18d689 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -10,6 +10,7 @@ class Groups::ApplicationController < ApplicationController
     unless @group
       id = params[:group_id] || params[:id]
       @group = Group.find_by_full_path(id)
+      @group_merge_requests = MergeRequestsFinder.new(current_user, group_id: @group.id).execute
 
       unless @group && can?(current_user, :read_group, @group)
         @group = nil
diff --git a/app/controllers/import/base_controller.rb b/app/controllers/import/base_controller.rb
index eeee027ef2d..9de0297ecfd 100644
--- a/app/controllers/import/base_controller.rb
+++ b/app/controllers/import/base_controller.rb
@@ -1,17 +1,27 @@
 class Import::BaseController < ApplicationController
   private
 
-  def find_or_create_namespace(name, owner)
-    return current_user.namespace if name == owner
+  def find_or_create_namespace(names, owner)
+    return current_user.namespace if names == owner
     return current_user.namespace unless current_user.can_create_group?
 
-    begin
-      name = params[:target_namespace].presence || name
-      namespace = Group.create!(name: name, path: name, owner: current_user)
-      namespace.add_owner(current_user)
-      namespace
-    rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
-      Namespace.find_by_full_path(name)
+    names = params[:target_namespace].presence || names
+    full_path_namespace = Namespace.find_by_full_path(names)
+
+    return full_path_namespace if full_path_namespace
+
+    names.split('/').inject(nil) do |parent, name|
+      begin
+        namespace = Group.create!(name: name,
+                                  path: name,
+                                  owner: current_user,
+                                  parent: parent)
+        namespace.add_owner(current_user)
+
+        namespace
+      rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
+        Namespace.where(parent: parent).find_by_path_or_name(name)
+      end
     end
   end
 end
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index d984e6d3918..a50e16fa4ff 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -11,10 +11,10 @@ class Projects::IssuesController < Projects::ApplicationController
   before_action :redirect_to_external_issue_tracker, only: [:index, :new]
   before_action :module_enabled
   before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
-                               :related_branches, :can_create_branch]
+                               :related_branches, :can_create_branch, :rendered_title]
 
   # Allow read any issue
-  before_action :authorize_read_issue!, only: [:show]
+  before_action :authorize_read_issue!, only: [:show, :rendered_title]
 
   # Allow write(create) issue
   before_action :authorize_create_issue!, only: [:new, :create]
@@ -31,7 +31,7 @@ class Projects::IssuesController < Projects::ApplicationController
     @issuable_meta_data = issuable_meta_data(@issues, @collection_type)
 
     if @issues.out_of_range? && @issues.total_pages != 0
-      return redirect_to url_for(params.merge(page: @issues.total_pages))
+      return redirect_to url_for(params.merge(page: @issues.total_pages, only_path: true))
     end
 
     if params[:label_name].present?
@@ -200,6 +200,11 @@ class Projects::IssuesController < Projects::ApplicationController
     end
   end
 
+  def rendered_title
+    Gitlab::PollingInterval.set_header(response, interval: 3_000)
+    render json: { title: view_context.markdown_field(@issue, :title) }
+  end
+
   protected
 
   def issue
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 37e3ac05916..a79d801991a 100755
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -43,7 +43,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @issuable_meta_data = issuable_meta_data(@merge_requests, @collection_type)
 
     if @merge_requests.out_of_range? && @merge_requests.total_pages != 0
-      return redirect_to url_for(params.merge(page: @merge_requests.total_pages))
+      return redirect_to url_for(params.merge(page: @merge_requests.total_pages, only_path: true))
     end
 
     if params[:label_name].present?
author	Lin Jen-Shin <godfat@godfat.org>	2017-04-06 14:34:52 +0800
committer	Lin Jen-Shin <godfat@godfat.org>	2017-04-06 14:34:52 +0800
commit	ec3a50f1f2065f185106fd19fcbb64aac38b6f2d (patch)
tree	0840772fa6ae7184521e4f9f1f697662d9f9029f /app/controllers
parent	f7014cd5bc776f9829818e535baf9db70387a416 (diff)
parent	aaa49c2c4e9473726814e3ce183c2e3e4072d64b (diff)
download	gitlab-ce-ec3a50f1f2065f185106fd19fcbb64aac38b6f2d.tar.gz