summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Updated meqia query for admin/groups search boxadmin-pages-layout-sass-updatePhil Hughes2016-04-071-3/+3
|
* Merge branch 'no-gc-auto' into 'master' Yorick Peterse2016-04-072-1/+13
|\ | | | | | | | | Disable git gc --auto See merge request !3572
| * Merge branch 'master' of https://gitlab.com/gitlab-org/gitlab-ce into no-gc-autoJacob Vosmaer2016-04-0775-374/+1052
| |\
| * | Disable git gc --autoJacob Vosmaer2016-04-062-1/+13
| | |
* | | Merge branch 'dont-assign-me-if-you-arent-allow' into 'master' Rémy Coutable2016-04-071-6/+8
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Hide "assign to me" link if not allowed Fixes #14996 See merge request !3590
| * | | Remove duplication. Remove JS data attributesJacob Schatz2016-04-071-6/+6
| | | |
| * | | Hide "assign to me" link if not alloweddont-assign-me-if-you-arent-allowJacob Schatz2016-04-071-5/+7
| | | |
* | | | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqGrzegorz Bizon2016-04-072-6/+110
|\ \ \ \ | |_|_|/ |/| | | | | | | | | | | | | | | | | | | * 'master' of dev.gitlab.org:gitlab/gitlabhq: Make sessions controller specs more explicit Fix 2FA authentication spoofing vulnerability Add specs for sessions controller including 2FA
| * | | Merge branch 'fix/2fa-authentication-spoofing' into 'master' Rémy Coutable2016-04-072-6/+110
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947
| | * | | Make sessions controller specs more explicitGrzegorz Bizon2016-04-071-4/+5
| | | | |
| | * | | Fix 2FA authentication spoofing vulnerabilityGrzegorz Bizon2016-04-072-41/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login.
| | * | | Add specs for sessions controller including 2FAGrzegorz Bizon2016-04-061-0/+93
| | | | | | | | | | | | | | | | | | | | This also contains specs for a bug described in #14900
* | | | | Merge branch 'fix-project-404-cache-issue' into 'master' Yorick Peterse2016-04-072-0/+15
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Expire caches after project creation to ensure a consistent state See merge request !3586
| * | | | | Expire caches after project creation to ensure a consistent stateStan Hu2016-04-072-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | Closes #14961
* | | | | | Merge branch 'update_main_lang_if_unset' into 'master' Rémy Coutable2016-04-073-10/+27
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556
| * | | | | Only update main language if it is not already setupdate_main_lang_if_unsetDrew Blessing2016-04-063-10/+27
| | | | | |
* | | | | | Merge branch 'api-filter-milestone' into 'master' Rémy Coutable2016-04-074-6/+54
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Ability to filter milestones by state Ability to filter milestones by `active` and `closed` state. * Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931 See merge request !3566
| * | | | | | Improve coding and doc styleRobert Schilling2016-04-064-10/+21
| | | | | | |
| * | | | | | API: Ability to filter milestones by stateRobert Schilling2016-04-064-2/+39
| | | | | | |
* | | | | | | Merge branch 'feature/expose-builds-badge' into 'master' Rémy Coutable2016-04-079-10/+137
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expose badges This MR exposes badge somewhere in visible place. ![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png) Closes #13801 See merge request !3326
| * | | | | | | Fix Changelog entries after rebasefeature/expose-builds-badgeGrzegorz Bizon2016-04-061-2/+0
| | | | | | | |
| * | | | | | | Use default branch when displaying list of badgesGrzegorz Bizon2016-04-061-1/+1
| | | | | | | |
| * | | | | | | Add Changelog entry for project badges in settingsGrzegorz Bizon2016-04-061-0/+3
| | | | | | | |
| * | | | | | | Change name of badge variable in badges controllerGrzegorz Bizon2016-04-062-4/+4
| | | | | | | |
| * | | | | | | Remove obsolete badge code from project viewGrzegorz Bizon2016-04-061-3/+0
| | | | | | | |
| * | | | | | | Add feature specs for list of badges pageGrzegorz Bizon2016-04-061-0/+34
| | | | | | | |
| * | | | | | | Expose project badges in project settings menuGrzegorz Bizon2016-04-062-1/+8
| | | | | | | |
| * | | | | | | Make it possible to switch ref in badges viewGrzegorz Bizon2016-04-062-0/+4
| | | | | | | |
| * | | | | | | Add project header title in project badges viewGrzegorz Bizon2016-04-061-0/+2
| | | | | | | |
| * | | | | | | Use highlight helper to render badges code syntaxGrzegorz Bizon2016-04-061-4/+4
| | | | | | | |
| * | | | | | | Improve view with list of badgesGrzegorz Bizon2016-04-061-7/+12
| | | | | | | |
| * | | | | | | Extend build status badge, add html/markdown methodsGrzegorz Bizon2016-04-064-8/+63
| | | | | | | |
| * | | | | | | Add project badges view prototypeGrzegorz Bizon2016-04-064-2/+23
| | | | | | | |
| * | | | | | | Improve routes for project badgesGrzegorz Bizon2016-04-061-3/+4
| |/ / / / / /
* | | | | | | Merge branch 'fix_14638' into 'master' Rémy Coutable2016-04-073-1/+25
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #14638. The SQL query was ambiguous and in this case we want to filter projects. See merge request !3462
| * | | | | | | Fixes #14638.PotHix2016-04-063-1/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SQL query was ambiguous and in this case we want to filter projects.
* | | | | | | | Merge branch 'return-303-for-branch-deletion' into 'master' Rémy Coutable2016-04-074-2/+19
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Return status code 303 after a branch DELETE operation to avoid project deletion Closes #14994 See merge request !3583
| * | | | | | | | Return status code 303 after a branch DELETE operation to avoid project deletionStan Hu2016-04-064-2/+19
| | |_|_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | Closes #14994
* | | | | | | | Merge branch 'update-coveralls' into 'master' Jeroen van Baarsen2016-04-072-16/+6
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update coveralls from 0.8.9 to 0.8.13 and simplecov from 0.10.0 to 0.11.2 This removes a few dependencies! It was also rude to be using coveralls 0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also paves the way for updating mime-types to 3.0. Coveralls Changelog: https://github.com/lemurheavy/coveralls-ruby/releases Simplecov Changelog: https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md See merge request !3584
| * | | | | | | | Update coveralls from 0.8.9 to 0.8.13 and simplecov from 0.10.0 to 0.11.2connorshea2016-04-062-16/+6
| | |_|_|_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes a few dependencies! It was also rude to be using coveralls 0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also paves the way for updating mime-types to 3.0. Coveralls Changelog: https://github.com/lemurheavy/coveralls-ruby/releases Simplecov Changelog: https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md
* | | | | | | | Merge branch 'master' of github.com:gitlabhq/gitlabhqRobert Schilling2016-04-071-1/+1
|\ \ \ \ \ \ \ \
| * \ \ \ \ \ \ \ Merge pull request #10118 from ↵Rémy Coutable2016-04-061-1/+1
| |\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | yasserhussain1110/unprotect-branch-not-found-message API: Change the argument of `not_found!` in `:id/repository/branches/:branch/unprotect`
| | * | | | | | | | Changed the argument of not_found for 'unprotect'Yasser Hussain2016-04-061-1/+1
| |/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | not_found appends string "Not Found" to the argument causing the resulting message to be "Branch does not exist Not Found" which is an incorrect error message. Changed the argument of not_found! for 'unprotect' command to "Branch" from "Branch does not exist". This makes the final error message to appear as "Branch Not Found" which is correct and same as error messages for other commands like 'protect'.
* | | | | | | | | Merge branch 'patch-1' into 'master' Robert Schilling2016-04-071-1/+1
|\ \ \ \ \ \ \ \ \ | |_|_|/ / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix typo in .gitlab-ci.yml doc. [ci skip] See merge request !3581
| * | | | | | | | [ci skip] Fix typo.frodsan2016-04-061-1/+1
| | | | | | | | |
* | | | | | | | | Merge branch 'anti-memoizer-mr-fix' into 'master' Robert Speicher2016-04-072-1/+9
|\ \ \ \ \ \ \ \ \ | |_|_|/ / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reset merge request widget options Fixes #14986 See merge request !3582
| * | | | | | | | Reset MR optsanti-memoizer-mr-fixJacob Schatz2016-04-062-1/+9
|/ / / / / / / /
* | | | | | | | Merge branch 'saml-external-groups' into 'master' Robert Speicher2016-04-078-102/+207
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow SAML to identify external users and set them as such Related to #4009 Fixes #14577 This allows SAML to retrieve group information form the `SAML Response` and match that to a setting that will flag all matching users as external. See merge request !3530
| * | | | | | | | Implemented suggested fixesPatricio Cano2016-04-065-33/+21
| | | | | | | | |
| * | | | | | | | Added CHANGELOG itemsaml-external-groupsPatricio Cano2016-04-062-1/+1
| | | | | | | | |
View Lorry Controller Status