Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Better control flow and added guard clause.fix-missing-saml-error-handling | Patricio Cano | 2016-04-11 | 1 | -14/+9 |
| | |||||
* | Add missing proper nil and error handling to SAML login process. | Patricio Cano | 2016-04-07 | 2 | -18/+30 |
| | |||||
* | Merge branch 'revert-5e8740ee' into 'master' | Jacob Schatz | 2016-04-07 | 1 | -1/+1 |
|\ | | | | | | | | | | | | | Revert "Merge branch 'fix-sidebar-exapnd' into 'master'" This reverts merge request !3520 See merge request !3606 | ||||
| * | Revert "Merge branch 'fix-sidebar-exapnd' into 'master'"revert-5e8740ee | Jacob Schatz | 2016-04-07 | 1 | -1/+1 |
|/ | | | This reverts merge request !3520 | ||||
* | Merge branch 'indentation-bug' into 'master' | Jacob Schatz | 2016-04-07 | 1 | -3/+3 |
|\ | | | | | | | | | | | | | Preserve white space See merge request !3602 | ||||
| * | Indentation updateindentation-bug | Annabel Dunstone | 2016-04-07 | 1 | -2/+0 |
| | | |||||
| * | Preserve white space | Annabel Dunstone | 2016-04-07 | 1 | -1/+3 |
| | | |||||
* | | Merge branch 'fix-number-of-todos-sidebar-is-not-updated' into 'master' | Jacob Schatz | 2016-04-07 | 3 | -1/+4 |
|\ \ | | | | | | | | | | | | | | | | | | | Update number of Todos in the sidebar when it's marked as "Done" Closes #15002 See merge request !3600 | ||||
| * | | Update CHANGELOGfix-number-of-todos-sidebar-is-not-updated | Douglas Barbosa Alexandre | 2016-04-07 | 1 | -0/+1 |
| | | | |||||
| * | | Update number of Todos in the sidebar when it's marked as "Done" | Douglas Barbosa Alexandre | 2016-04-07 | 2 | -1/+3 |
| |/ | |||||
* | | Merge branch 'issue_14012' into 'master' | Rémy Coutable | 2016-04-07 | 5 | -6/+42 |
|\ \ | |/ |/| | | | | | | | | | Fix problem when creating milestones in groups without projects Fixes #14012 See merge request !3481 | ||||
| * | Implement review suggestions | Felipe Artur | 2016-04-07 | 4 | -7/+6 |
| | | |||||
| * | Improve code | Felipe Artur | 2016-04-05 | 3 | -17/+22 |
| | | |||||
| * | Improve code | Felipe Artur | 2016-04-05 | 1 | -7/+15 |
| | | |||||
| * | Fix problem when creating milestones in groups without projects | Felipe Artur | 2016-04-05 | 2 | -5/+29 |
| | | |||||
* | | Merge branch 'regex-for-colons' into 'master' | Douwe Maan | 2016-04-07 | 4 | -2/+118 |
|\ \ | | | | | | | | | | | | | | | | | | | Add optional colon. See merge request !3591 | ||||
| * | | CHANGELOG | Jacob Schatz | 2016-04-07 | 1 | -0/+1 |
| | | | |||||
| * | | Remove dumb debug statement and add many tests. | Jacob Schatz | 2016-04-07 | 3 | -2/+116 |
| | | | |||||
| * | | Add optional colon. | Jacob Schatz | 2016-04-07 | 1 | -1/+2 |
| | | | |||||
* | | | Merge branch 'no-gc-auto' into 'master' | Yorick Peterse | 2016-04-07 | 2 | -1/+13 |
|\ \ \ | | | | | | | | | | | | | | | | | Disable git gc --auto See merge request !3572 | ||||
| * \ \ | Merge branch 'master' of https://gitlab.com/gitlab-org/gitlab-ce into no-gc-auto | Jacob Vosmaer | 2016-04-07 | 75 | -374/+1052 |
| |\ \ \ | | |/ / | |||||
| * | | | Disable git gc --auto | Jacob Vosmaer | 2016-04-06 | 2 | -1/+13 |
| | | | | |||||
* | | | | Merge branch 'dont-assign-me-if-you-arent-allow' into 'master' | Rémy Coutable | 2016-04-07 | 1 | -6/+8 |
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hide "assign to me" link if not allowed Fixes #14996 See merge request !3590 | ||||
| * | | | | Remove duplication. Remove JS data attributes | Jacob Schatz | 2016-04-07 | 1 | -6/+6 |
| | | | | | |||||
| * | | | | Hide "assign to me" link if not alloweddont-assign-me-if-you-arent-allow | Jacob Schatz | 2016-04-07 | 1 | -5/+7 |
| | | | | | |||||
* | | | | | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq | Grzegorz Bizon | 2016-04-07 | 2 | -6/+110 |
|\ \ \ \ \ | |_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | * 'master' of dev.gitlab.org:gitlab/gitlabhq: Make sessions controller specs more explicit Fix 2FA authentication spoofing vulnerability Add specs for sessions controller including 2FA | ||||
| * | | | | Merge branch 'fix/2fa-authentication-spoofing' into 'master' | Rémy Coutable | 2016-04-07 | 2 | -6/+110 |
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947 | ||||
| | * | | | | Make sessions controller specs more explicit | Grzegorz Bizon | 2016-04-07 | 1 | -4/+5 |
| | | | | | | |||||
| | * | | | | Fix 2FA authentication spoofing vulnerability | Grzegorz Bizon | 2016-04-07 | 2 | -41/+51 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login. | ||||
| | * | | | | Add specs for sessions controller including 2FA | Grzegorz Bizon | 2016-04-06 | 1 | -0/+93 |
| | | | | | | | | | | | | | | | | | | | | | | | | This also contains specs for a bug described in #14900 | ||||
* | | | | | | Merge branch 'fix-project-404-cache-issue' into 'master' | Yorick Peterse | 2016-04-07 | 2 | -0/+15 |
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expire caches after project creation to ensure a consistent state See merge request !3586 | ||||
| * | | | | | | Expire caches after project creation to ensure a consistent state | Stan Hu | 2016-04-07 | 2 | -0/+15 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes #14961 | ||||
* | | | | | | | Merge branch 'update_main_lang_if_unset' into 'master' | Rémy Coutable | 2016-04-07 | 3 | -10/+27 |
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556 | ||||
| * | | | | | | Only update main language if it is not already setupdate_main_lang_if_unset | Drew Blessing | 2016-04-06 | 3 | -10/+27 |
| | | | | | | | |||||
* | | | | | | | Merge branch 'api-filter-milestone' into 'master' | Rémy Coutable | 2016-04-07 | 4 | -6/+54 |
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Ability to filter milestones by state Ability to filter milestones by `active` and `closed` state. * Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931 See merge request !3566 | ||||
| * | | | | | | | Improve coding and doc style | Robert Schilling | 2016-04-06 | 4 | -10/+21 |
| | | | | | | | | |||||
| * | | | | | | | API: Ability to filter milestones by state | Robert Schilling | 2016-04-06 | 4 | -2/+39 |
| | | | | | | | | |||||
* | | | | | | | | Merge branch 'feature/expose-builds-badge' into 'master' | Rémy Coutable | 2016-04-07 | 9 | -10/+137 |
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expose badges This MR exposes badge somewhere in visible place. ![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png) Closes #13801 See merge request !3326 | ||||
| * | | | | | | | | Fix Changelog entries after rebasefeature/expose-builds-badge | Grzegorz Bizon | 2016-04-06 | 1 | -2/+0 |
| | | | | | | | | | |||||
| * | | | | | | | | Use default branch when displaying list of badges | Grzegorz Bizon | 2016-04-06 | 1 | -1/+1 |
| | | | | | | | | | |||||
| * | | | | | | | | Add Changelog entry for project badges in settings | Grzegorz Bizon | 2016-04-06 | 1 | -0/+3 |
| | | | | | | | | | |||||
| * | | | | | | | | Change name of badge variable in badges controller | Grzegorz Bizon | 2016-04-06 | 2 | -4/+4 |
| | | | | | | | | | |||||
| * | | | | | | | | Remove obsolete badge code from project view | Grzegorz Bizon | 2016-04-06 | 1 | -3/+0 |
| | | | | | | | | | |||||
| * | | | | | | | | Add feature specs for list of badges page | Grzegorz Bizon | 2016-04-06 | 1 | -0/+34 |
| | | | | | | | | | |||||
| * | | | | | | | | Expose project badges in project settings menu | Grzegorz Bizon | 2016-04-06 | 2 | -1/+8 |
| | | | | | | | | | |||||
| * | | | | | | | | Make it possible to switch ref in badges view | Grzegorz Bizon | 2016-04-06 | 2 | -0/+4 |
| | | | | | | | | | |||||
| * | | | | | | | | Add project header title in project badges view | Grzegorz Bizon | 2016-04-06 | 1 | -0/+2 |
| | | | | | | | | | |||||
| * | | | | | | | | Use highlight helper to render badges code syntax | Grzegorz Bizon | 2016-04-06 | 1 | -4/+4 |
| | | | | | | | | | |||||
| * | | | | | | | | Improve view with list of badges | Grzegorz Bizon | 2016-04-06 | 1 | -7/+12 |
| | | | | | | | | | |||||
| * | | | | | | | | Extend build status badge, add html/markdown methods | Grzegorz Bizon | 2016-04-06 | 4 | -8/+63 |
| | | | | | | | | |