| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| | |
Backport !7967 and !8189 to `8-13-stable`
See merge request !8991
|
| |
| |
| |
| | |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
| |
| |
| | |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Accept environment variables from the `pre-receive` script
1. Starting version 2.11, git changed the way the pre-receive flow works.
- Previously, the new potential objects would be added to the main repo. If the pre-receive passes, the new objects stay in the repo but are linked up. If the pre-receive fails, the new objects stay orphaned in the repo, and are cleaned up during the next `git gc`.
- In 2.11, the new potential objects are added to a temporary "alternate object directory", that git creates for this purpose. If the pre-receive passes, the objects from the alternate object directory are migrated to the main repo. If the pre-receive fails the alternate object directory is simply deleted.
2. In our workflow, the pre-recieve script (in `gitlab-shell`) calls the
`/allowed` endpoint, which calls out directly to git to perform
various checks. These direct calls to git do _not_ have the necessary
environment variables set which allow access to the "alternate object
directory" (explained above). Therefore these calls to git are not able to
access any of the new potential objects to be added during this push.
3. We fix this by accepting the relevant environment variables
(`GIT_ALTERNATE_OBJECT_DIRECTORIES`, `GIT_OBJECT_DIRECTORY`, and
`GIT_QUARANTINE_PATH`) on the `/allowed` endpoint, and then include
these environment variables while calling out to git.
4. This commit includes these environment variables while making the "force
push" check.
See https://gitlab.com/gitlab-org/gitlab-shell/merge_requests/120
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
| |
The `parent` namespace concept didn't exist until 8.15, so this was
causing a `NoMethodError`.
|
| |
|
|
|
|
|
|
|
| |
Upgrade OmniAuth Ruby gem to 1.3.2
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/26813
See merge request !2056
|
|
|
|
|
|
| |
Prevent users from creating notes on resources they can't access
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
|
|
|
|
|
|
| |
Ensure that only privileged users can access merge requests in the API
See merge request !2053
|
|
|
|
|
|
| |
Fix export files not removed when a user takes over a namespace
See merge request !2051
|
|
|
|
|
| |
Fix users being able to delete instance public deployment keys
See merge request !2049
|
|\ |
|
| | |
|
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| | |
Updated Turbolinks to patched version of turbolinks-classic
See merge request !2048
|
|/
|
|
|
|
| |
Update the gitlab-markup gem to the version `1.5.1`
See merge request !8509
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Filter `incoming_email_token` and `runners_token` parameters
Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676
See merge request !2045
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Issue#visible_to_user moved to IssuesFinder
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.
See merge request !2039
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
Fix missing Note access checks in by moving Note#search to updated NoteFinder
See merge request !2035
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
API: Memoize the current_user so that the sudo can work properly
Closes #25482
See merge request !8017
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
| |
Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin.
Closes #24537
See merge request !7615
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
Make the `downtime_check` task happy
See merge request !7845
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace MR access checks with use of MergeRequestsFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### MR lookup from project
- [x] :bomb: app/finders/notes_finder.rb:17
- [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] :bomb: app/controllers/concerns/creates_commit.rb:84
- [x] :traffic_light: app/controllers/projects/commits_controller.rb:24
- [x] :traffic_light: app/controllers/projects/compare_controller.rb:56
- [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27
- [x] :vertical_traffic_light: app/models/commit.rb:268
- [x] :white_check_mark: lib/gitlab/search_results.rb:71
### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?`
See merge request !2033
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
|
| |
'24813-project-members-with-developer-access-can-no-longer-create-tags' into 'master'
Create tag after running pre-hooks and pass updated SHA to post-hooks
Closes #24813
See merge request !7700
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
| |
Ensure state param has a valid value when filtering issuables.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
This fix makes sure we only call safe methods on issuable when filtering by state.
See merge request !2038
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
| |
Update grape-entity to 0.6.0
See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### Issue lookup without access check (security)
- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19
### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb
### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix information disclosure in `Projects::BlobController#update`
## What does this MR do?
It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/22869
See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
| |
Fix label creation non members
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416
See merge request !2006
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
500 error on project show when user is not logged in and project is still empty
## What does this MR do?
Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show
## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.
![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png)
## Does this MR meet the acceptance criteria?
- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #23990
See merge request !7376
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Backport JIRA api docs to 8-13-stable
We need to backport the JIRA API docs that were until recently on
master to 8-13-stable also. With 8.14 we simplified the way JIRA is
configured and we need a link to point to the old docs.
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471
See merge request !7677
|
|/
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|