diff options
Diffstat (limited to 'app/controllers')
56 files changed, 424 insertions, 246 deletions
diff --git a/app/controllers/admin/health_check_controller.rb b/app/controllers/admin/health_check_controller.rb index 25cc241e5b0..7cd80e8b5e1 100644 --- a/app/controllers/admin/health_check_controller.rb +++ b/app/controllers/admin/health_check_controller.rb @@ -2,6 +2,12 @@ class Admin::HealthCheckController < Admin::ApplicationController def show - @errors = HealthCheck::Utils.process_checks(['standard']) + @errors = HealthCheck::Utils.process_checks(checks) + end + + private + + def checks + ['standard'] end end diff --git a/app/controllers/admin/impersonations_controller.rb b/app/controllers/admin/impersonations_controller.rb index 08d7e3b4fa2..65fe22bd8f4 100644 --- a/app/controllers/admin/impersonations_controller.rb +++ b/app/controllers/admin/impersonations_controller.rb @@ -5,23 +5,12 @@ class Admin::ImpersonationsController < Admin::ApplicationController before_action :authenticate_impersonator! def destroy - original_user = current_user - - warden.set_user(impersonator, scope: :user) - - Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{original_user.username}") - - session[:impersonator_id] = nil - + original_user = stop_impersonation redirect_to admin_user_path(original_user), status: :found end private - def impersonator - @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id] - end - def authenticate_impersonator! render_404 unless impersonator && impersonator.admin? && !impersonator.blocked? end diff --git a/app/controllers/admin/requests_profiles_controller.rb b/app/controllers/admin/requests_profiles_controller.rb index 64d74ae4231..57f7d3e3951 100644 --- a/app/controllers/admin/requests_profiles_controller.rb +++ b/app/controllers/admin/requests_profiles_controller.rb @@ -11,7 +11,7 @@ class Admin::RequestsProfilesController < Admin::ApplicationController profile = Gitlab::RequestProfiler::Profile.find(clean_name) if profile - render text: profile.content + render html: profile.content else redirect_to admin_requests_profiles_path, alert: 'Profile not found' end diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index b783c0e2a6f..e93be1c1ba2 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -2,6 +2,7 @@ class Admin::UsersController < Admin::ApplicationController before_action :user, except: [:index, :new, :create] + before_action :check_impersonation_availability, only: :impersonate def index @users = User.order_name_asc.filter(params[:filter]) @@ -227,4 +228,8 @@ class Admin::UsersController < Admin::ApplicationController result[:status] == :success end + + def check_impersonation_availability + access_denied! unless Gitlab.config.gitlab.impersonation_enabled + end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9b40ffb26a2..6f0dc2a3a20 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -8,15 +8,11 @@ class ApplicationController < ActionController::Base include GitlabRoutingHelper include PageLayoutHelper include SafeParamsHelper - include SentryHelper include WorkhorseHelper include EnforcesTwoFactorAuthentication include WithPerformanceBar - # this can be removed after switching to rails 5 - # https://gitlab.com/gitlab-org/gitlab-ce/issues/51908 - include InvalidUTF8ErrorHandler unless Gitlab.rails5? + include SessionlessAuthentication - before_action :authenticate_sessionless_user! before_action :authenticate_user! before_action :enforce_terms!, if: :should_enforce_terms? before_action :validate_user_service_ticket! @@ -28,6 +24,7 @@ class ApplicationController < ActionController::Base before_action :configure_permitted_parameters, if: :devise_controller? before_action :require_email, unless: :devise_controller? before_action :set_usage_stats_consent_flag + before_action :check_impersonation_availability around_action :set_locale @@ -128,6 +125,7 @@ class ApplicationController < ActionController::Base payload[:ua] = request.env["HTTP_USER_AGENT"] payload[:remote_ip] = request.remote_ip + payload[Gitlab::CorrelationId::LOG_KEY] = Gitlab::CorrelationId.current_id logged_user = auth_user @@ -153,17 +151,10 @@ class ApplicationController < ActionController::Base end end - # This filter handles personal access tokens, and atom requests with rss tokens - def authenticate_sessionless_user! - user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user - - sessionless_sign_in(user) if user - end - def log_exception(exception) - Raven.capture_exception(exception) if sentry_enabled? + Gitlab::Sentry.track_acceptable_exception(exception) - backtrace_cleaner = Gitlab.rails5? ? request.env["action_dispatch.backtrace_cleaner"] : env + backtrace_cleaner = request.env["action_dispatch.backtrace_cleaner"] application_trace = ActionDispatch::ExceptionWrapper.new(backtrace_cleaner, exception).application_trace application_trace.map! { |t| " #{t}\n" } logger.error "\n#{exception.class.name} (#{exception.message}):\n#{application_trace.join}" @@ -426,25 +417,11 @@ class ApplicationController < ActionController::Base Gitlab::I18n.with_user_locale(current_user, &block) end - def sessionless_sign_in(user) - if user && can?(user, :log_in) - # Notice we are passing store false, so the user is not - # actually stored in the session and a token is needed - # for every request. If you want the token to work as a - # sign in token, you can simply remove store: false. - sign_in(user, store: false, message: :sessionless_sign_in) - end - end - def set_page_title_header # Per https://tools.ietf.org/html/rfc5987, headers need to be ISO-8859-1, not UTF-8 response.headers['Page-Title'] = URI.escape(page_title('GitLab')) end - def sessionless_user? - current_user && !session.keys.include?('warden.user.user.key') - end - def peek_request? request.path.start_with?('/-/peek') end @@ -483,4 +460,32 @@ class ApplicationController < ActionController::Base .new(settings, current_user, application_setting_params) .execute end + + def check_impersonation_availability + return unless session[:impersonator_id] + + unless Gitlab.config.gitlab.impersonation_enabled + stop_impersonation + access_denied! _('Impersonation has been disabled') + end + end + + def stop_impersonation + impersonated_user = current_user + + Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{impersonated_user.username}") + + warden.set_user(impersonator, scope: :user) + session[:impersonator_id] = nil + + impersonated_user + end + + def impersonator + @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id] + end + + def sentry_context + Gitlab::Sentry.context(current_user) + end end diff --git a/app/controllers/boards/issues_controller.rb b/app/controllers/boards/issues_controller.rb index 7f874687212..0dd7500623d 100644 --- a/app/controllers/boards/issues_controller.rb +++ b/app/controllers/boards/issues_controller.rb @@ -100,18 +100,12 @@ module Boards .merge(board_id: params[:board_id], list_id: params[:list_id], request: request) end + def serializer + IssueSerializer.new(current_user: current_user) + end + def serialize_as_json(resource) - resource.as_json( - only: [:id, :iid, :project_id, :title, :confidential, :due_date, :relative_position, :weight], - labels: true, - issue_endpoints: true, - include_full_project_path: board.group_board?, - include: { - project: { only: [:id, :path] }, - assignees: { only: [:id, :name, :username], methods: [:avatar_url] }, - milestone: { only: [:id, :title] } - } - ) + serializer.represent(resource, serializer: 'board', include_full_project_path: board.group_board?) end def whitelist_query_limiting diff --git a/app/controllers/chaos_controller.rb b/app/controllers/chaos_controller.rb index b4f46cddbe9..8d518c14b90 100644 --- a/app/controllers/chaos_controller.rb +++ b/app/controllers/chaos_controller.rb @@ -15,7 +15,7 @@ class ChaosController < ActionController::Base duration_taken = (Time.now - start).seconds Kernel.sleep duration_s - duration_taken if duration_s > duration_taken - render text: "OK", content_type: 'text/plain' + render plain: "OK" end def cpuspin @@ -24,14 +24,14 @@ class ChaosController < ActionController::Base rand while Time.now < end_time - render text: "OK", content_type: 'text/plain' + render plain: "OK" end def sleep duration_s = (params[:duration_s]&.to_i || 30).seconds Kernel.sleep duration_s - render text: "OK", content_type: 'text/plain' + render plain: "OK" end def kill @@ -44,13 +44,13 @@ class ChaosController < ActionController::Base secret = ENV['GITLAB_CHAOS_SECRET'] # GITLAB_CHAOS_SECRET is required unless you're running in Development mode if !secret && !Rails.env.development? - render text: "chaos misconfigured: please configure GITLAB_CHAOS_SECRET when using GITLAB_ENABLE_CHAOS_ENDPOINTS outside of a development environment", content_type: 'text/plain', status: 500 + render plain: "chaos misconfigured: please configure GITLAB_CHAOS_SECRET when using GITLAB_ENABLE_CHAOS_ENDPOINTS outside of a development environment", status: :internal_server_error end return unless secret unless request.headers["HTTP_X_CHAOS_SECRET"] == secret - render text: "To experience chaos, please set X-Chaos-Secret header", content_type: 'text/plain', status: 401 + render plain: "To experience chaos, please set X-Chaos-Secret header", status: :unauthorized end end end diff --git a/app/controllers/clusters/applications_controller.rb b/app/controllers/clusters/applications_controller.rb index 250f42f3096..c4e7fc950f9 100644 --- a/app/controllers/clusters/applications_controller.rb +++ b/app/controllers/clusters/applications_controller.rb @@ -23,6 +23,6 @@ class Clusters::ApplicationsController < Clusters::BaseController end def create_cluster_application_params - params.permit(:application, :hostname) + params.permit(:application, :hostname, :email) end end diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb index 2e9c77ae55c..b9717b97640 100644 --- a/app/controllers/clusters/clusters_controller.rb +++ b/app/controllers/clusters/clusters_controller.rb @@ -18,8 +18,20 @@ class Clusters::ClustersController < Clusters::BaseController STATUS_POLLING_INTERVAL = 10_000 def index - clusters = ClustersFinder.new(clusterable, current_user, :all).execute - @clusters = clusters.page(params[:page]).per(20) + finder = ClusterAncestorsFinder.new(clusterable.subject, current_user) + clusters = finder.execute + + # Note: We are paginating through an array here but this should OK as: + # + # In CE, we can have a maximum group nesting depth of 21, so including + # project cluster, we can have max 22 clusters for a group hierachy. + # In EE (Premium) we can have any number, as multiple clusters are + # supported, but the number of clusters are fairly low currently. + # + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/55260 also. + @clusters = Kaminari.paginate_array(clusters).page(params[:page]).per(20) + + @has_ancestor_clusters = finder.has_ancestor_clusters? end def new @@ -181,15 +193,15 @@ class Clusters::ClustersController < Clusters::BaseController end def gcp_cluster - @gcp_cluster = ::Clusters::Cluster.new.tap do |cluster| - cluster.build_provider_gcp - end.present(current_user: current_user) + cluster = Clusters::BuildService.new(clusterable.subject).execute + cluster.build_provider_gcp + @gcp_cluster = cluster.present(current_user: current_user) end def user_cluster - @user_cluster = ::Clusters::Cluster.new.tap do |cluster| - cluster.build_platform_kubernetes - end.present(current_user: current_user) + cluster = Clusters::BuildService.new(clusterable.subject).execute + cluster.build_platform_kubernetes + @user_cluster = cluster.present(current_user: current_user) end def validate_gcp_token diff --git a/app/controllers/concerns/invalid_utf8_error_handler.rb b/app/controllers/concerns/invalid_utf8_error_handler.rb deleted file mode 100644 index 44c6d6b0da0..00000000000 --- a/app/controllers/concerns/invalid_utf8_error_handler.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -module InvalidUTF8ErrorHandler - extend ActiveSupport::Concern - - included do - rescue_from ArgumentError, with: :handle_invalid_utf8 - end - - private - - def handle_invalid_utf8(error) - if error.message == "invalid byte sequence in UTF-8" - render_412 - else - raise(error) - end - end - - def render_412 - respond_to do |format| - format.html { render "errors/precondition_failed", layout: "errors", status: 412 } - format.js { render json: { error: 'Invalid UTF-8' }, status: :precondition_failed, content_type: 'application/json' } - format.any { head :precondition_failed } - end - end -end diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb index 34a8c50fcbd..789e0dc736e 100644 --- a/app/controllers/concerns/issuable_collections.rb +++ b/app/controllers/concerns/issuable_collections.rb @@ -91,7 +91,7 @@ module IssuableCollections options = { scope: params[:scope], state: params[:state], - sort: set_sort_order_from_cookie || default_sort_order + sort: set_sort_order } # Used by view to highlight active option @@ -102,7 +102,7 @@ module IssuableCollections elsif @group options[:group_id] = @group.id options[:include_subgroups] = true - options[:use_cte_for_search] = true + options[:attempt_group_search_optimizations] = true end params.permit(finder_type.valid_params).merge(options) @@ -113,6 +113,34 @@ module IssuableCollections 'opened' end + def set_sort_order + set_sort_order_from_user_preference || set_sort_order_from_cookie || default_sort_order + end + + def set_sort_order_from_user_preference + return unless current_user + return unless issuable_sorting_field + + user_preference = current_user.user_preference + + sort_param = params[:sort] + sort_param ||= user_preference[issuable_sorting_field] + + return sort_param if Gitlab::Database.read_only? + + if user_preference[issuable_sorting_field] != sort_param + user_preference.update_attribute(issuable_sorting_field, sort_param) + end + + sort_param + end + + # Implement default_sorting_field method on controllers + # to choose which column to store the sorting parameter. + def issuable_sorting_field + nil + end + def set_sort_order_from_cookie sort_param = params[:sort] if params[:sort].present? # fallback to legacy cookie value for backward compatibility @@ -141,12 +169,6 @@ module IssuableCollections case value when 'id_asc' then sort_value_oldest_created when 'id_desc' then sort_value_recently_created - when 'created_asc' then sort_value_created_date - when 'created_desc' then sort_value_created_date - when 'due_date_asc' then sort_value_due_date - when 'due_date_desc' then sort_value_due_date - when 'milestone_due_asc' then sort_value_milestone - when 'milestone_due_desc' then sort_value_milestone when 'downvotes_asc' then sort_value_popularity when 'downvotes_desc' then sort_value_popularity else value diff --git a/app/controllers/concerns/lfs_request.rb b/app/controllers/concerns/lfs_request.rb index 9576eb14fdd..5572c3cee2d 100644 --- a/app/controllers/concerns/lfs_request.rb +++ b/app/controllers/concerns/lfs_request.rb @@ -94,6 +94,7 @@ module LfsRequest def lfs_upload_access? return false unless project.lfs_enabled? return false unless has_authentication_ability?(:push_code) + return false if limit_exceeded? lfs_deploy_token? || can?(user, :push_code, project) end @@ -121,4 +122,9 @@ module LfsRequest def has_authentication_ability?(capability) (authentication_abilities || []).include?(capability) end + + # Overriden in EE + def limit_exceeded? + false + end end diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index 777b147e2dd..0319948a12f 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -6,6 +6,7 @@ module NotesActions extend ActiveSupport::Concern included do + prepend_before_action :normalize_create_params, only: [:create] before_action :set_polling_interval_header, only: [:index] before_action :require_noteable!, only: [:index, :create] before_action :authorize_admin_note!, only: [:update, :destroy] @@ -247,6 +248,15 @@ module NotesActions DiscussionSerializer.new(project: project, noteable: noteable, current_user: current_user, note_entity: ProjectNoteEntity) end + # Avoids checking permissions in the wrong object - this ensures that the object we checked permissions for + # is the object we're actually creating a note in. + def normalize_create_params + params[:note].try do |note| + note[:noteable_id] = params[:target_id] + note[:noteable_type] = params[:target_type].classify + end + end + def note_project strong_memoize(:note_project) do next nil unless project diff --git a/app/controllers/concerns/preview_markdown.rb b/app/controllers/concerns/preview_markdown.rb index c61b9fabe9e..4b0f0b8255c 100644 --- a/app/controllers/concerns/preview_markdown.rb +++ b/app/controllers/concerns/preview_markdown.rb @@ -12,7 +12,7 @@ module PreviewMarkdown when 'wikis' then { pipeline: :wiki, project_wiki: @project_wiki, page_slug: params[:id] } when 'snippets' then { skip_project_check: true } when 'groups' then { group: group } - when 'projects' then { issuable_state_filter_enabled: true } + when 'projects' then projects_filter_params else {} end @@ -22,9 +22,17 @@ module PreviewMarkdown body: view_context.markdown(result[:text], markdown_params), references: { users: result[:users], + suggestions: result[:suggestions], commands: view_context.markdown(result[:commands]) } } end + + def projects_filter_params + { + issuable_state_filter_enabled: true, + suggestions_filter_enabled: params[:preview_suggestions].present? + } + end # rubocop:enable Gitlab/ModuleWithInstanceVariables end diff --git a/app/controllers/concerns/renders_commits.rb b/app/controllers/concerns/renders_commits.rb index f48e0586211..ed9b898a2a3 100644 --- a/app/controllers/concerns/renders_commits.rb +++ b/app/controllers/concerns/renders_commits.rb @@ -26,4 +26,10 @@ module RendersCommits commits end + + def valid_ref?(ref_name) + return true unless ref_name.present? + + Gitlab::GitRefValidator.validate(ref_name) + end end diff --git a/app/controllers/concerns/service_params.rb b/app/controllers/concerns/service_params.rb index 8bd93a349ef..c6ae4fe15bf 100644 --- a/app/controllers/concerns/service_params.rb +++ b/app/controllers/concerns/service_params.rb @@ -70,7 +70,7 @@ module ServiceParams def service_params dynamic_params = @service.event_channel_names + @service.event_names # rubocop:disable Gitlab/ModuleWithInstanceVariables - service_params = params.permit(:id, service: ALLOWED_PARAMS_CE + dynamic_params) + service_params = params.permit(:id, service: allowed_service_params + dynamic_params) if service_params[:service].is_a?(Hash) FILTER_BLANK_PARAMS.each do |param| @@ -80,4 +80,8 @@ module ServiceParams service_params end + + def allowed_service_params + ALLOWED_PARAMS_CE + end end diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb new file mode 100644 index 00000000000..590eefc6dab --- /dev/null +++ b/app/controllers/concerns/sessionless_authentication.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +# == SessionlessAuthentication +# +# Controller concern to handle PAT and RSS token authentication methods +# +module SessionlessAuthentication + # This filter handles personal access tokens, and atom requests with rss tokens + def authenticate_sessionless_user!(request_format) + user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format) + + sessionless_sign_in(user) if user + end + + def sessionless_user? + current_user && !session.keys.include?('warden.user.user.key') + end + + def sessionless_sign_in(user) + if user && can?(user, :log_in) + # Notice we are passing store false, so the user is not + # actually stored in the session and a token is needed + # for every request. If you want the token to work as a + # sign in token, you can simply remove store: false. + sign_in(user, store: false, message: :sessionless_sign_in) + end + end +end diff --git a/app/controllers/concerns/snippets_actions.rb b/app/controllers/concerns/snippets_actions.rb index 8c22490700c..014232a7d05 100644 --- a/app/controllers/concerns/snippets_actions.rb +++ b/app/controllers/concerns/snippets_actions.rb @@ -10,6 +10,8 @@ module SnippetsActions def raw disposition = params[:inline] == 'false' ? 'attachment' : 'inline' + workhorse_set_content_type! + send_data( convert_line_endings(@snippet.content), type: 'text/plain; charset=utf-8', diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index 7a1c7abfb8f..0eea0cdd50f 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -1,17 +1,11 @@ # frozen_string_literal: true module UploadsActions - extend ActiveSupport::Concern - include Gitlab::Utils::StrongMemoize include SendFileUpload UPLOAD_MOUNTS = %w(avatar attachment file logo header_logo favicon).freeze - included do - prepend_before_action :set_html_format, only: :show - end - def create link_to_file = UploadService.new(model, params[:file], uploader_class).execute @@ -44,6 +38,7 @@ module UploadsActions return render_404 unless uploader + workhorse_set_content_type! send_upload(uploader, attachment: uploader.filename, disposition: disposition) end @@ -61,13 +56,6 @@ module UploadsActions private - # Explicitly set the format. - # Otherwise rails 5 will set it from a file extension. - # See https://github.com/rails/rails/commit/84e8accd6fb83031e4c27e44925d7596655285f7#diff-2b8f2fbb113b55ca8e16001c393da8f1 - def set_html_format - request.format = :html - end - def uploader_class raise NotImplementedError end diff --git a/app/controllers/dashboard/projects_controller.rb b/app/controllers/dashboard/projects_controller.rb index e9686ed8d06..f073b6de444 100644 --- a/app/controllers/dashboard/projects_controller.rb +++ b/app/controllers/dashboard/projects_controller.rb @@ -4,6 +4,7 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController include ParamsBackwardCompatibility include RendersMemberAccess + prepend_before_action(only: [:index]) { authenticate_sessionless_user!(:rss) } before_action :set_non_archived_param before_action :default_sorting skip_cross_project_access_check :index, :starred @@ -55,7 +56,7 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController projects = ProjectsFinder .new(params: finder_params, current_user: current_user) .execute - .includes(:route, :creator, namespace: [:route, :owner]) + .includes(:route, :creator, :group, namespace: [:route, :owner]) .page(finder_params[:page]) prepare_projects_for_rendering(projects) diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index b82caf30a91..3fa582cf25b 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -4,6 +4,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController include ActionView::Helpers::NumberHelper before_action :authorize_read_project!, only: :index + before_action :authorize_read_group!, only: :index before_action :find_todos, only: [:index, :destroy_all] def index @@ -60,6 +61,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController end end + def authorize_read_group! + group_id = params[:group_id] + + if group_id.present? + group = Group.find(group_id) + render_404 unless can?(current_user, :read_group, group) + end + end + def find_todos @todos ||= TodosFinder.new(current_user, todo_params).execute end diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index 4ce9be44403..be2d9512c01 100644 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -4,6 +4,9 @@ class DashboardController < Dashboard::ApplicationController include IssuesAction include MergeRequestsAction + prepend_before_action(only: [:issues]) { authenticate_sessionless_user!(:rss) } + prepend_before_action(only: [:issues_calendar]) { authenticate_sessionless_user!(:ics) } + before_action :event_filter, only: :activity before_action :projects, only: [:issues, :merge_requests] before_action :set_show_full_reference, only: [:issues, :merge_requests] diff --git a/app/controllers/explore/projects_controller.rb b/app/controllers/explore/projects_controller.rb index 7ecbc32cf4e..778fdda8dbd 100644 --- a/app/controllers/explore/projects_controller.rb +++ b/app/controllers/explore/projects_controller.rb @@ -57,7 +57,7 @@ class Explore::ProjectsController < Explore::ApplicationController def load_projects projects = ProjectsFinder.new(current_user: current_user, params: params) .execute - .includes(:route, namespace: :route) + .includes(:route, :creator, :group, namespace: [:route, :owner]) .page(params[:page]) .without_count diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index a1ec144410b..3ef03bc9622 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -3,6 +3,7 @@ class GraphqlController < ApplicationController # Unauthenticated users have access to the API for public data skip_before_action :authenticate_user! + prepend_before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } before_action :check_graphql_feature_flag! @@ -42,6 +43,6 @@ class GraphqlController < ApplicationController end def check_graphql_feature_flag! - render_404 unless Feature.enabled?(:graphql) + render_404 unless Gitlab::Graphql.enabled? end end diff --git a/app/controllers/groups/clusters_controller.rb b/app/controllers/groups/clusters_controller.rb index 50c44b7a58b..b846fb21266 100644 --- a/app/controllers/groups/clusters_controller.rb +++ b/app/controllers/groups/clusters_controller.rb @@ -3,8 +3,8 @@ class Groups::ClustersController < Clusters::ClustersController include ControllerWithCrossProjectAccessCheck - prepend_before_action :check_group_clusters_feature_flag! prepend_before_action :group + prepend_before_action :check_group_clusters_feature_flag! requires_cross_project_access layout 'group' @@ -20,6 +20,10 @@ class Groups::ClustersController < Clusters::ClustersController end def check_group_clusters_feature_flag! - render_404 unless Feature.enabled?(:group_clusters) + render_404 unless group_clusters_enabled? + end + + def group_clusters_enabled? + group.group_clusters_enabled? end end diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 062c8c4e9e1..c5d8ac2ed77 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -9,6 +9,9 @@ class GroupsController < Groups::ApplicationController respond_to :html + prepend_before_action(only: [:show, :issues]) { authenticate_sessionless_user!(:rss) } + prepend_before_action(only: [:issues_calendar]) { authenticate_sessionless_user!(:ics) } + before_action :authenticate_user!, only: [:new, :create] before_action :group, except: [:index, :new, :create] diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb index 58565aaf8c9..d4c26fa0709 100644 --- a/app/controllers/import/github_controller.rb +++ b/app/controllers/import/github_controller.rb @@ -7,7 +7,7 @@ class Import::GithubController < Import::BaseController rescue_from Octokit::Unauthorized, with: :provider_unauthorized def new - if logged_in_with_provider? + if github_import_configured? && logged_in_with_provider? go_to_provider_for_permissions elsif session[access_token_key] redirect_to status_import_url diff --git a/app/controllers/metrics_controller.rb b/app/controllers/metrics_controller.rb index 7353be478e1..c2089a0fca3 100644 --- a/app/controllers/metrics_controller.rb +++ b/app/controllers/metrics_controller.rb @@ -15,7 +15,7 @@ class MetricsController < ActionController::Base "# Metrics are disabled, see: #{help_page}\n" end - render text: response, content_type: 'text/plain; version=0.0.4' + render plain: response, content_type: 'text/plain; version=0.0.4' end private diff --git a/app/controllers/notification_settings_controller.rb b/app/controllers/notification_settings_controller.rb index 84dce74ace8..384f308269a 100644 --- a/app/controllers/notification_settings_controller.rb +++ b/app/controllers/notification_settings_controller.rb @@ -16,7 +16,11 @@ class NotificationSettingsController < ApplicationController @notification_setting = current_user.notification_settings.find(params[:id]) @saved = @notification_setting.update(notification_setting_params_for(@notification_setting.source)) - render_response + if params[:hide_label].present? + render_response("projects/buttons/_notifications") + else + render_response + end end private @@ -37,9 +41,9 @@ class NotificationSettingsController < ApplicationController can?(current_user, ability_name, resource) end - def render_response + def render_response(response_template = "shared/notifications/_button") render json: { - html: view_to_html_string("shared/notifications/_button", notification_setting: @notification_setting), + html: view_to_html_string(response_template, notification_setting: @notification_setting), saved: @saved } end diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb index b50f140dc80..ab4ca56bb49 100644 --- a/app/controllers/oauth/applications_controller.rb +++ b/app/controllers/oauth/applications_controller.rb @@ -9,7 +9,7 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController before_action :verify_user_oauth_applications_enabled, except: :index before_action :authenticate_user! before_action :add_gon_variables - before_action :load_scopes, only: [:index, :create, :edit] + before_action :load_scopes, only: [:index, :create, :edit, :update] helper_method :can? diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb index cb3180f4196..b0d65f284af 100644 --- a/app/controllers/profiles/accounts_controller.rb +++ b/app/controllers/profiles/accounts_controller.rb @@ -4,7 +4,7 @@ class Profiles::AccountsController < Profiles::ApplicationController include AuthHelper def show - @user = current_user + render(locals: show_view_variables) end # rubocop: disable CodeReuse/ActiveRecord @@ -23,4 +23,10 @@ class Profiles::AccountsController < Profiles::ApplicationController redirect_to profile_account_path end # rubocop: enable CodeReuse/ActiveRecord + + private + + def show_view_variables + {} + end end diff --git a/app/controllers/profiles/keys_controller.rb b/app/controllers/profiles/keys_controller.rb index 912421e3d08..055d900eece 100644 --- a/app/controllers/profiles/keys_controller.rb +++ b/app/controllers/profiles/keys_controller.rb @@ -40,13 +40,12 @@ class Profiles::KeysController < Profiles::ApplicationController begin user = UserFinder.new(params[:username]).find_by_username if user.present? - headers['Content-Disposition'] = 'attachment' - render text: user.all_ssh_keys.join("\n"), content_type: 'text/plain' + render plain: user.all_ssh_keys.join("\n") else return render_404 end rescue => e - render text: e.message + render html: e.message end else return render_404 diff --git a/app/controllers/projects/artifacts_controller.rb b/app/controllers/projects/artifacts_controller.rb index ae9c17802b9..1a91e07b97f 100644 --- a/app/controllers/projects/artifacts_controller.rb +++ b/app/controllers/projects/artifacts_controller.rb @@ -9,7 +9,6 @@ class Projects::ArtifactsController < Projects::ApplicationController before_action :authorize_read_build! before_action :authorize_update_build!, only: [:keep] before_action :extract_ref_name_and_path - before_action :set_request_format, only: [:file] before_action :validate_artifacts!, except: [:download] before_action :entry, only: [:file] @@ -110,12 +109,4 @@ class Projects::ArtifactsController < Projects::ApplicationController render_404 unless @entry.exists? end - - def set_request_format - request.format = :html if set_request_format? - end - - def set_request_format? - request.format != :json - end end diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb index 873c96a5523..60fabd15333 100644 --- a/app/controllers/projects/blob_controller.rb +++ b/app/controllers/projects/blob_controller.rb @@ -9,7 +9,6 @@ class Projects::BlobController < Projects::ApplicationController include ActionView::Helpers::SanitizeHelper prepend_before_action :authenticate_user!, only: [:edit] - before_action :set_request_format, only: [:edit, :show, :update, :destroy] before_action :require_non_empty_project, except: [:new, :create] before_action :authorize_download_code! @@ -242,18 +241,6 @@ class Projects::BlobController < Projects::ApplicationController .last_for_path(@repository, @ref, @path).sha end - # In Rails 4.2 if params[:format] is empty, Rails set it to :html - # But since Rails 5.0 the framework now looks for an extension. - # E.g. for `blob/master/CHANGELOG.md` in Rails 4 the format would be `:html`, but in Rails 5 on it'd be `:md` - # This before_action explicitly sets the `:html` format for all requests unless `:format` is set by a client e.g. by JS for XHR requests. - def set_request_format - request.format = :html if set_request_format? - end - - def set_request_format? - params[:id].present? && params[:format].blank? && request.format != "json" - end - def show_html environment_params = @repository.branch_exists?(@ref) ? { ref: @ref } : { commit: @commit } @environment = EnvironmentsFinder.new(@project, current_user, environment_params).execute.last diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb index 95a014d24da..a6bfb913900 100644 --- a/app/controllers/projects/branches_controller.rb +++ b/app/controllers/projects/branches_controller.rb @@ -22,7 +22,7 @@ class Projects::BranchesController < Projects::ApplicationController # Fetch branches for the specified mode fetch_branches_by_mode - @refs_pipelines = @project.pipelines.latest_successful_for_refs(@branches.map(&:name)) + @refs_pipelines = @project.ci_pipelines.latest_successful_for_refs(@branches.map(&:name)) @merged_branch_names = repository.merged_branch_names(@branches.map(&:name)) # n+1: https://gitlab.com/gitlab-org/gitaly/issues/992 diff --git a/app/controllers/projects/commits_controller.rb b/app/controllers/projects/commits_controller.rb index 84a2a461da7..2510a31c9b3 100644 --- a/app/controllers/projects/commits_controller.rb +++ b/app/controllers/projects/commits_controller.rb @@ -6,12 +6,13 @@ class Projects::CommitsController < Projects::ApplicationController include ExtractsPath include RendersCommits + prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) } before_action :whitelist_query_limiting, except: :commits_root before_action :require_non_empty_project before_action :assign_ref_vars, except: :commits_root before_action :authorize_download_code! + before_action :validate_ref!, except: :commits_root before_action :set_commits, except: :commits_root - before_action :set_request_format, only: :show def commits_root redirect_to project_commits_path(@project, @project.default_branch) @@ -54,6 +55,10 @@ class Projects::CommitsController < Projects::ApplicationController private + def validate_ref! + render_404 unless valid_ref?(@ref) + end + def set_commits render_404 unless @path.empty? || request.format == :atom || @repository.blob_at(@commit.id, @path) || @repository.tree(@commit.id, @path).entries.present? @limit, @offset = (params[:limit] || 40).to_i, (params[:offset] || 0).to_i @@ -70,19 +75,6 @@ class Projects::CommitsController < Projects::ApplicationController @commits = set_commits_for_rendering(@commits) end - # Rails 5 sets request.format from the extension. - # Explicitly set to :html. - def set_request_format - request.format = :html if set_request_format? - end - - # Rails 5 sets request.format from extension. - # In this case if the ref ends with `.atom`, it's expected to be the html response, - # not the atom one. So explicitly set request.format as :html to act like rails4. - def set_request_format? - request.format.to_s == "text/html" || @commits.ref.ends_with?("atom") - end - def whitelist_query_limiting Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/42330') end diff --git a/app/controllers/projects/compare_controller.rb b/app/controllers/projects/compare_controller.rb index 2917925947f..5586c2fc631 100644 --- a/app/controllers/projects/compare_controller.rb +++ b/app/controllers/projects/compare_controller.rb @@ -65,12 +65,6 @@ class Projects::CompareController < Projects::ApplicationController private - def valid_ref?(ref_name) - return true unless ref_name.present? - - Gitlab::GitRefValidator.validate(ref_name) - end - def validate_refs! valid = [head_ref, start_ref].map { |ref| valid_ref?(ref) } diff --git a/app/controllers/projects/deploy_keys_controller.rb b/app/controllers/projects/deploy_keys_controller.rb index 0a593bd35b6..6824a07dc76 100644 --- a/app/controllers/projects/deploy_keys_controller.rb +++ b/app/controllers/projects/deploy_keys_controller.rb @@ -24,7 +24,7 @@ class Projects::DeployKeysController < Projects::ApplicationController end def create - @key = DeployKeys::CreateService.new(current_user, create_params).execute + @key = DeployKeys::CreateService.new(current_user, create_params).execute(project: @project) unless @key.valid? flash[:alert] = @key.errors.full_messages.join(', ').html_safe diff --git a/app/controllers/projects/environments_controller.rb b/app/controllers/projects/environments_controller.rb index de10783df1a..a63eea0ca0e 100644 --- a/app/controllers/projects/environments_controller.rb +++ b/app/controllers/projects/environments_controller.rb @@ -11,6 +11,10 @@ class Projects::EnvironmentsController < Projects::ApplicationController before_action :verify_api_request!, only: :terminal_websocket_authorize before_action :expire_etag_cache, only: [:index] + before_action do + push_frontend_feature_flag(:area_chart, project) + end + def index @environments = project.environments .with_state(params[:scope] || :available) @@ -122,7 +126,7 @@ class Projects::EnvironmentsController < Projects::ApplicationController set_workhorse_internal_api_content_type render json: Gitlab::Workhorse.terminal_websocket(terminal) else - render text: 'Not found', status: :not_found + render html: 'Not found', status: :not_found end end diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb index e55065c5817..8b33fa85c1e 100644 --- a/app/controllers/projects/imports_controller.rb +++ b/app/controllers/projects/imports_controller.rb @@ -13,10 +13,8 @@ class Projects::ImportsController < Projects::ApplicationController end def create - @project.import_url = params[:project][:import_url] - - if @project.save - @project.reload.import_schedule + if @project.update(import_params) + @project.import_state.reload.schedule end redirect_to project_import_path(@project) @@ -24,7 +22,7 @@ class Projects::ImportsController < Projects::ApplicationController def show if @project.import_finished? - if continue_params + if continue_params&.key?(:to) redirect_to continue_params[:to], notice: continue_params[:notice] else redirect_to project_path(@project), notice: finished_notice @@ -67,4 +65,12 @@ class Projects::ImportsController < Projects::ApplicationController redirect_to project_path(@project) end end + + def import_params_attributes + [:import_url] + end + + def import_params + params.require(:project).permit(import_params_attributes) + end end diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index d6d7110355b..5ed46fc0545 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -9,10 +9,6 @@ class Projects::IssuesController < Projects::ApplicationController include IssuesCalendar include SpammableActions - def self.authenticate_user_only_actions - %i[new] - end - def self.issue_except_actions %i[index calendar new create bulk_update] end @@ -21,7 +17,10 @@ class Projects::IssuesController < Projects::ApplicationController %i[index calendar] end - prepend_before_action :authenticate_user!, only: authenticate_user_only_actions + prepend_before_action(only: [:index]) { authenticate_sessionless_user!(:rss) } + prepend_before_action(only: [:calendar]) { authenticate_sessionless_user!(:ics) } + prepend_before_action :authenticate_new_issue!, only: [:new] + prepend_before_action :store_uri, only: [:new, :show] before_action :whitelist_query_limiting, only: [:create, :create_merge_request, :move, :bulk_update] before_action :check_issues_available! @@ -232,16 +231,18 @@ class Projects::IssuesController < Projects::ApplicationController ] + [{ label_ids: [], assignee_ids: [] }] end - def authenticate_user! + def authenticate_new_issue! return if current_user notice = "Please sign in to create the new issue." + redirect_to new_user_session_path, notice: notice + end + + def store_uri if request.get? && !request.xhr? store_location_for :user, request.fullpath end - - redirect_to new_user_session_path, notice: notice end def serializer @@ -267,7 +268,6 @@ class Projects::IssuesController < Projects::ApplicationController end def set_suggested_issues_feature_flags - push_frontend_feature_flag(:graphql) - push_frontend_feature_flag(:issue_suggestions) + push_frontend_feature_flag(:graphql, default_enabled: true) end end diff --git a/app/controllers/projects/jobs_controller.rb b/app/controllers/projects/jobs_controller.rb index 3ecf94c008e..bfbbcba883f 100644 --- a/app/controllers/projects/jobs_controller.rb +++ b/app/controllers/projects/jobs_controller.rb @@ -9,7 +9,7 @@ class Projects::JobsController < Projects::ApplicationController before_action :authorize_update_build!, except: [:index, :show, :status, :raw, :trace, :cancel_all, :erase] before_action :authorize_erase_build!, only: [:erase] - before_action :authorize_use_build_terminal!, only: [:terminal, :terminal_workhorse_authorize] + before_action :authorize_use_build_terminal!, only: [:terminal, :terminal_websocket_authorize] before_action :verify_api_request!, only: :terminal_websocket_authorize layout 'project' @@ -140,15 +140,22 @@ class Projects::JobsController < Projects::ApplicationController def raw if trace_artifact_file + workhorse_set_content_type! send_upload(trace_artifact_file, send_params: raw_send_params, redirect_params: raw_redirect_params) else build.trace.read do |stream| if stream.file? + workhorse_set_content_type! send_file stream.path, type: 'text/plain; charset=utf-8', disposition: 'inline' else - send_data stream.raw, type: 'text/plain; charset=utf-8', disposition: 'inline', filename: 'job.log' + # In this case we can't use workhorse_set_content_type! and let + # Workhorse handle the response because the data is streamed directly + # to the user but, because we have the trace content, we can calculate + # the proper content type and disposition here. + raw_data = stream.raw + send_data raw_data, type: 'text/plain; charset=utf-8', disposition: raw_trace_content_disposition(raw_data), filename: 'job.log' end end end @@ -201,4 +208,13 @@ class Projects::JobsController < Projects::ApplicationController def build_path(build) project_job_path(build.project, build) end + + def raw_trace_content_disposition(raw_data) + mime_type = MimeMagic.by_magic(raw_data) + + # if mime_type is nil can also represent 'text/plain' + return 'inline' if mime_type.nil? || mime_type.type == 'text/plain' + + 'attachment' + end end diff --git a/app/controllers/projects/merge_requests/diffs_controller.rb b/app/controllers/projects/merge_requests/diffs_controller.rb index b3d77335c2a..ddffbb17ace 100644 --- a/app/controllers/projects/merge_requests/diffs_controller.rb +++ b/app/controllers/projects/merge_requests/diffs_controller.rb @@ -22,12 +22,9 @@ class Projects::MergeRequests::DiffsController < Projects::MergeRequests::Applic def render_diffs @environment = @merge_request.environments_for(current_user).last - notes_grouped_by_path = renderable_notes.group_by { |note| note.position.file_path } - @diffs.diff_files.each do |diff_file| - notes = notes_grouped_by_path.fetch(diff_file.file_path, []) - notes.each { |note| diff_file.unfold_diff_lines(note.position) } - end + note_positions = renderable_notes.map(&:position).compact + @diffs.unfold_diff_files(note_positions) @diffs.write_cache diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index d521db79f85..da9316d5f22 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -122,17 +122,21 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo respond_to do |format| format.html do - if @merge_request.valid? - redirect_to([@merge_request.target_project.namespace.becomes(Namespace), @merge_request.target_project, @merge_request]) - else + if @merge_request.errors.present? define_edit_vars render :edit + else + redirect_to project_merge_request_path(@merge_request.target_project, @merge_request) end end format.json do - render json: serializer.represent(@merge_request, serializer: 'basic') + if merge_request.errors.present? + render json: @merge_request.errors, status: :bad_request + else + render json: serializer.represent(@merge_request, serializer: 'basic') + end end end rescue ActiveRecord::StaleObjectError diff --git a/app/controllers/projects/milestones_controller.rb b/app/controllers/projects/milestones_controller.rb index 20998c97730..8e68014a30d 100644 --- a/app/controllers/projects/milestones_controller.rb +++ b/app/controllers/projects/milestones_controller.rb @@ -11,7 +11,10 @@ class Projects::MilestonesController < Projects::ApplicationController before_action :authorize_read_milestone! # Allow admin milestone - before_action :authorize_admin_milestone!, except: [:index, :show, :merge_requests, :participants, :labels, :promote] + before_action :authorize_admin_milestone!, except: [:index, :show, :merge_requests, :participants, :labels] + + # Allow to promote milestone + before_action :authorize_promote_milestone!, only: :promote respond_to :html @@ -78,7 +81,7 @@ class Projects::MilestonesController < Projects::ApplicationController def promote promoted_milestone = Milestones::PromoteService.new(project, current_user).execute(milestone) - flash[:notice] = flash_notice_for(promoted_milestone, project.group) + flash[:notice] = flash_notice_for(promoted_milestone, project_group) respond_to do |format| format.html do @@ -109,6 +112,12 @@ class Projects::MilestonesController < Projects::ApplicationController protected + def project_group + strong_memoize(:project_group) do + project.group + end + end + def milestones strong_memoize(:milestones) do MilestonesFinder.new(search_params).execute @@ -125,13 +134,17 @@ class Projects::MilestonesController < Projects::ApplicationController return render_404 unless can?(current_user, :admin_milestone, @project) end + def authorize_promote_milestone! + return render_404 unless can?(current_user, :admin_milestone, project_group) + end + def milestone_params params.require(:milestone).permit(:title, :description, :start_date, :due_date, :state_event) end def search_params - if request.format.json? && @project.group && can?(current_user, :read_group, @project.group) - groups = @project.group.self_and_ancestors_ids + if request.format.json? && project_group && can?(current_user, :read_group, project_group) + groups = project_group.self_and_ancestors_ids end params.permit(:state).merge(project_ids: @project.id, group_ids: groups) diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb index 53b29d4146e..67827b1d3bb 100644 --- a/app/controllers/projects/pipelines_controller.rb +++ b/app/controllers/projects/pipelines_controller.rb @@ -46,7 +46,7 @@ class Projects::PipelinesController < Projects::ApplicationController end def new - @pipeline = project.pipelines.new(ref: @project.default_branch) + @pipeline = project.all_pipelines.new(ref: @project.default_branch) end def create @@ -142,9 +142,9 @@ class Projects::PipelinesController < Projects::ApplicationController @charts[:pipeline_times] = Gitlab::Ci::Charts::PipelineTime.new(project) @counts = {} - @counts[:total] = @project.pipelines.count(:all) - @counts[:success] = @project.pipelines.success.count(:all) - @counts[:failed] = @project.pipelines.failed.count(:all) + @counts[:total] = @project.all_pipelines.count(:all) + @counts[:success] = @project.all_pipelines.success.count(:all) + @counts[:failed] = @project.all_pipelines.failed.count(:all) end private @@ -164,7 +164,7 @@ class Projects::PipelinesController < Projects::ApplicationController # rubocop: disable CodeReuse/ActiveRecord def pipeline @pipeline ||= project - .pipelines + .all_pipelines .includes(user: :status) .find_by!(id: params[:id]) .present(current_user: current_user) diff --git a/app/controllers/projects/protected_branches_controller.rb b/app/controllers/projects/protected_branches_controller.rb index a860be83e95..c5454883060 100644 --- a/app/controllers/projects/protected_branches_controller.rb +++ b/app/controllers/projects/protected_branches_controller.rb @@ -15,6 +15,10 @@ class Projects::ProtectedBranchesController < Projects::ProtectedRefsController @protected_ref = @project.protected_branches.find(params[:id]) end + def access_levels + [:merge_access_levels, :push_access_levels] + end + def protected_ref_params params.require(:protected_branch).permit(:name, merge_access_levels_attributes: access_level_attributes, diff --git a/app/controllers/projects/protected_refs_controller.rb b/app/controllers/projects/protected_refs_controller.rb index 3a3a29ddd0d..4e2a9df5576 100644 --- a/app/controllers/projects/protected_refs_controller.rb +++ b/app/controllers/projects/protected_refs_controller.rb @@ -32,7 +32,7 @@ class Projects::ProtectedRefsController < Projects::ApplicationController @protected_ref = update_service_class.new(@project, current_user, protected_ref_params).execute(@protected_ref) if @protected_ref.valid? - render json: @protected_ref, status: :ok + render json: @protected_ref, status: :ok, include: access_levels else render json: @protected_ref.errors, status: :unprocessable_entity end @@ -62,6 +62,6 @@ class Projects::ProtectedRefsController < Projects::ApplicationController end def access_level_attributes - %i(access_level id) + %i[access_level id] end end diff --git a/app/controllers/projects/protected_tags_controller.rb b/app/controllers/projects/protected_tags_controller.rb index 01cedba95ac..41191639c2b 100644 --- a/app/controllers/projects/protected_tags_controller.rb +++ b/app/controllers/projects/protected_tags_controller.rb @@ -15,6 +15,10 @@ class Projects::ProtectedTagsController < Projects::ProtectedRefsController @protected_ref = @project.protected_tags.find(params[:id]) end + def access_levels + [:create_access_levels] + end + def protected_ref_params params.require(:protected_tag).permit(:name, create_access_levels_attributes: access_level_attributes) end diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb index 55827075896..58d5ea4762f 100644 --- a/app/controllers/projects/releases_controller.rb +++ b/app/controllers/projects/releases_controller.rb @@ -4,39 +4,16 @@ class Projects::ReleasesController < Projects::ApplicationController # Authorize before_action :require_non_empty_project before_action :authorize_download_code! - before_action :authorize_push_code! - before_action :tag - before_action :release + before_action :check_releases_page_feature_flag - def edit - end - - def update - # Release belongs to Tag which is not active record object, - # it exists only to save a description to each Tag. - # If description is empty we should destroy the existing record. - if release_params[:description].present? - release.update(release_params) - else - release.destroy - end - - redirect_to project_tag_path(@project, @tag.name) + def index end private - def tag - @tag ||= @repository.find_tag(params[:tag_id]) - end - - # rubocop: disable CodeReuse/ActiveRecord - def release - @release ||= @project.releases.find_or_initialize_by(tag: @tag.name) - end - # rubocop: enable CodeReuse/ActiveRecord + def check_releases_page_feature_flag + return render_404 unless Feature.enabled?(:releases_page) - def release_params - params.require(:release).permit(:description) + push_frontend_feature_flag(:releases_page) end end diff --git a/app/controllers/projects/serverless/functions_controller.rb b/app/controllers/projects/serverless/functions_controller.rb new file mode 100644 index 00000000000..0af2b7ef343 --- /dev/null +++ b/app/controllers/projects/serverless/functions_controller.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +module Projects + module Serverless + class FunctionsController < Projects::ApplicationController + include ProjectUnauthorized + + before_action :authorize_read_cluster! + + INDEX_PRIMING_INTERVAL = 10_000 + INDEX_POLLING_INTERVAL = 30_000 + + def index + finder = Projects::Serverless::FunctionsFinder.new(project.clusters) + + respond_to do |format| + format.json do + functions = finder.execute + + if functions.any? + Gitlab::PollingInterval.set_header(response, interval: INDEX_POLLING_INTERVAL) + render json: Projects::Serverless::ServiceSerializer.new(current_user: @current_user).represent(functions) + else + Gitlab::PollingInterval.set_header(response, interval: INDEX_PRIMING_INTERVAL) + head :no_content + end + end + + format.html do + @installed = finder.installed? + render + end + end + end + end + end +end diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb index 1d76c90d4eb..ac3004d069f 100644 --- a/app/controllers/projects/settings/repository_controller.rb +++ b/app/controllers/projects/settings/repository_controller.rb @@ -20,6 +20,20 @@ module Projects render_show end + def cleanup + cleanup_params = params.require(:project).permit(:bfg_object_map) + result = Projects::UpdateService.new(project, current_user, cleanup_params).execute + + if result[:status] == :success + RepositoryCleanupWorker.perform_async(project.id, current_user.id) + flash[:notice] = _('Repository cleanup has started. You will receive an email once the cleanup operation is complete.') + else + flash[:alert] = _('Failed to upload object map file') + end + + redirect_to project_settings_repository_path(project) + end + private def render_show diff --git a/app/controllers/projects/tags/releases_controller.rb b/app/controllers/projects/tags/releases_controller.rb new file mode 100644 index 00000000000..334e1847cc8 --- /dev/null +++ b/app/controllers/projects/tags/releases_controller.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +class Projects::Tags::ReleasesController < Projects::ApplicationController + # Authorize + before_action :require_non_empty_project + before_action :authorize_download_code! + before_action :authorize_push_code! + before_action :tag + before_action :release + + def edit + end + + def update + # Release belongs to Tag which is not active record object, + # it exists only to save a description to each Tag. + # If description is empty we should destroy the existing record. + if release_params[:description].present? + release.update(release_params) + else + release.destroy + end + + redirect_to project_tag_path(@project, @tag.name) + end + + private + + def tag + @tag ||= @repository.find_tag(params[:tag_id]) + end + + # rubocop: disable CodeReuse/ActiveRecord + def release + @release ||= @project.releases.find_or_initialize_by(tag: @tag.name) + end + # rubocop: enable CodeReuse/ActiveRecord + + def release_params + params.require(:release).permit(:description) + end +end diff --git a/app/controllers/projects/tags_controller.rb b/app/controllers/projects/tags_controller.rb index c8442ff3592..a50a1475eb2 100644 --- a/app/controllers/projects/tags_controller.rb +++ b/app/controllers/projects/tags_controller.rb @@ -3,6 +3,8 @@ class Projects::TagsController < Projects::ApplicationController include SortingHelper + prepend_before_action(only: [:index]) { authenticate_sessionless_user!(:rss) } + # Authorize before_action :require_non_empty_project before_action :authorize_download_code! @@ -18,7 +20,7 @@ class Projects::TagsController < Projects::ApplicationController @tags = Kaminari.paginate_array(@tags).page(params[:page]) tag_names = @tags.map(&:name) - @tags_pipelines = @project.pipelines.latest_successful_for_refs(tag_names) + @tags_pipelines = @project.ci_pipelines.latest_successful_for_refs(tag_names) @releases = project.releases.where(tag: tag_names) respond_to do |format| @@ -40,7 +42,7 @@ class Projects::TagsController < Projects::ApplicationController # rubocop: enable CodeReuse/ActiveRecord def create - result = Tags::CreateService.new(@project, current_user) + result = ::Tags::CreateService.new(@project, current_user) .execute(params[:tag_name], params[:ref], params[:message], params[:release_description]) if result[:status] == :success @@ -56,7 +58,7 @@ class Projects::TagsController < Projects::ApplicationController end def destroy - result = Tags::DestroyService.new(project, current_user).execute(params[:id]) + result = ::Tags::DestroyService.new(project, current_user).execute(params[:id]) respond_to do |format| if result[:status] == :success diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 7f4a9f5151b..8bf93bfd68d 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -7,6 +7,8 @@ class ProjectsController < Projects::ApplicationController include PreviewMarkdown include SendFileUpload + prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) } + before_action :whitelist_query_limiting, only: [:create] before_action :authenticate_user!, except: [:index, :show, :activity, :refs] before_action :redirect_git_extension, only: [:show] diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5b70c69d7f4..072d62ddf38 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -14,6 +14,7 @@ class UsersController < ApplicationController calendar_activities: true skip_before_action :authenticate_user! + prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) } before_action :user, except: [:exists] before_action :authorize_read_user_profile!, only: [:calendar, :calendar_activities, :groups, :projects, :contributed_projects, :snippets] @@ -57,11 +58,13 @@ class UsersController < ApplicationController load_projects skip_pagination = Gitlab::Utils.to_boolean(params[:skip_pagination]) + skip_namespace = Gitlab::Utils.to_boolean(params[:skip_namespace]) + compact_mode = Gitlab::Utils.to_boolean(params[:compact_mode]) respond_to do |format| format.html { render 'show' } format.json do - pager_json("shared/projects/_list", @projects.count, projects: @projects, skip_pagination: skip_pagination) + pager_json("shared/projects/_list", @projects.count, projects: @projects, skip_pagination: skip_pagination, skip_namespace: skip_namespace, compact_mode: compact_mode) end end end |