| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
Updated Turbolinks to patched version of turbolinks-classic
See merge request !2048
|
|
|
|
|
|
| |
Update the gitlab-markup gem to the version `1.5.1`
See merge request !8509
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Filter `incoming_email_token` and `runners_token` parameters
Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676
See merge request !2045
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Issue#visible_to_user moved to IssuesFinder
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.
See merge request !2039
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
Fix missing Note access checks in by moving Note#search to updated NoteFinder
See merge request !2035
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
API: Memoize the current_user so that the sudo can work properly
Closes #25482
See merge request !8017
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
| |
Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin.
Closes #24537
See merge request !7615
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
Make the `downtime_check` task happy
See merge request !7845
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace MR access checks with use of MergeRequestsFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### MR lookup from project
- [x] :bomb: app/finders/notes_finder.rb:17
- [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] :bomb: app/controllers/concerns/creates_commit.rb:84
- [x] :traffic_light: app/controllers/projects/commits_controller.rb:24
- [x] :traffic_light: app/controllers/projects/compare_controller.rb:56
- [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27
- [x] :vertical_traffic_light: app/models/commit.rb:268
- [x] :white_check_mark: lib/gitlab/search_results.rb:71
### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?`
See merge request !2033
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
|
| |
'24813-project-members-with-developer-access-can-no-longer-create-tags' into 'master'
Create tag after running pre-hooks and pass updated SHA to post-hooks
Closes #24813
See merge request !7700
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
| |
Ensure state param has a valid value when filtering issuables.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
This fix makes sure we only call safe methods on issuable when filtering by state.
See merge request !2038
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
| |
Update grape-entity to 0.6.0
See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### Issue lookup without access check (security)
- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19
### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb
### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix information disclosure in `Projects::BlobController#update`
## What does this MR do?
It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/22869
See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
| |
Fix label creation non members
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416
See merge request !2006
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
500 error on project show when user is not logged in and project is still empty
## What does this MR do?
Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show
## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.
![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png)
## Does this MR meet the acceptance criteria?
- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #23990
See merge request !7376
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Backport JIRA api docs to 8-13-stable
We need to backport the JIRA API docs that were until recently on
master to 8-13-stable also. With 8.14 we simplified the way JIRA is
configured and we need a link to point to the old docs.
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471
See merge request !7677
|
|/
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
| |
Allow commit note to be visible if repo is visible
## What does this MR do?
It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes.
Closes #23824
See merge request !7504
|
|
|
|
|
|
|
| |
Limit labels returned for a specific project as an administrator
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527
See merge request !7496
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
## What does this MR do?
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only).
cc @stanhu @ahanselka
## Why was this MR needed?
Errors shown here: gitlab-org/gitlab-ce#24392
Discovered thanks to gitlab-com/infrastructure#302
## What are the relevant issue numbers?
Fixes #24392
Fixes gitlab-com/support-forum#1280
See merge request !7417
|
|
|
|
|
|
|
| |
Ensure labels are loaded for all "show" methods of MR Controller
Closes #24397
See merge request !7416
|
|
|
|
|
|
|
|
|
| |
Fix cache for commit status in commits list to respect branches
Fix cache for commit status in commits list to respect branches
Closes #24324
See merge request !7372
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'master'
Clicking "force remove source branch" label now toggles the checkbox again
We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]`
in order to fix the checkbox toggling when the associated label is clicked.
The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311.
See merge request !7356
|
|
|
|
|
| |
Split out markdown cache storage into a separate method
See merge request !7277
|
|
|
|
|
|
|
| |
Fix no "Register" tab if ldap auth is enabled (#24038)
Closes #24038
See merge request !7274
|
|
|
|
|
|
|
| |
Fix project Visibility level selector not using default values
closes #20245
See merge request !7264
|
|
|
|
|
|
|
| |
Fix relative links in Markdown wiki when displayed in "Project" tab
Refers to #23806
See merge request !7218
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add test for refs dropdown selection with special chars
## What does this MR do?
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
## Screenshots (if relevant)
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
See merge request !7175
|
|
|
|
|
|
|
|
|
|
| |
Milestone dropdown does not stay selected
Closes #23713
See merge request !7117
Signed-off-by: Rémy Coutable <remy@rymai.me>
|