| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
| |
Update grape-entity to 0.6.0
See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### Issue lookup without access check (security)
- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19
### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb
### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix information disclosure in `Projects::BlobController#update`
## What does this MR do?
It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/22869
See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
| |
Fix label creation non members
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416
See merge request !2006
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
500 error on project show when user is not logged in and project is still empty
## What does this MR do?
Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show
## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.
![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png)
## Does this MR meet the acceptance criteria?
- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #23990
See merge request !7376
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Backport JIRA api docs to 8-13-stable
We need to backport the JIRA API docs that were until recently on
master to 8-13-stable also. With 8.14 we simplified the way JIRA is
configured and we need a link to point to the old docs.
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471
See merge request !7677
|
|/
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
| |
Allow commit note to be visible if repo is visible
## What does this MR do?
It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes.
Closes #23824
See merge request !7504
|
|
|
|
|
|
|
| |
Limit labels returned for a specific project as an administrator
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527
See merge request !7496
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
## What does this MR do?
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only).
cc @stanhu @ahanselka
## Why was this MR needed?
Errors shown here: gitlab-org/gitlab-ce#24392
Discovered thanks to gitlab-com/infrastructure#302
## What are the relevant issue numbers?
Fixes #24392
Fixes gitlab-com/support-forum#1280
See merge request !7417
|
|
|
|
|
|
|
| |
Ensure labels are loaded for all "show" methods of MR Controller
Closes #24397
See merge request !7416
|
|
|
|
|
|
|
|
|
| |
Fix cache for commit status in commits list to respect branches
Fix cache for commit status in commits list to respect branches
Closes #24324
See merge request !7372
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'master'
Clicking "force remove source branch" label now toggles the checkbox again
We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]`
in order to fix the checkbox toggling when the associated label is clicked.
The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311.
See merge request !7356
|
|
|
|
|
| |
Split out markdown cache storage into a separate method
See merge request !7277
|
|
|
|
|
|
|
| |
Fix no "Register" tab if ldap auth is enabled (#24038)
Closes #24038
See merge request !7274
|
|
|
|
|
|
|
| |
Fix project Visibility level selector not using default values
closes #20245
See merge request !7264
|
|
|
|
|
|
|
| |
Fix relative links in Markdown wiki when displayed in "Project" tab
Refers to #23806
See merge request !7218
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add test for refs dropdown selection with special chars
## What does this MR do?
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
## Screenshots (if relevant)
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
See merge request !7175
|
|
|
|
|
|
|
|
|
|
| |
Milestone dropdown does not stay selected
Closes #23713
See merge request !7117
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Account for fixed position MR when scrolling to elements
This MR accounts for the new merge request fixed affix bar when scrolling to an element on the MR page.
The fixed MR tabs bar was not being taken into account when shifting permalink scroll targets so that they are unobscured by navigation elements.
Closes #23520
See merge request !7051
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
| |
Omniauth auto link LDAP user falls back to find by DN when user cannot be found by uid
Unfortunately, SAML IDs can be an LDAP UID, DN, or something else entirely. UID and DN are most common, though. This adds a fallback scenario so we first try to find a matching LDAP user by UID, then by DN. This will fix a problem for the customer in https://gitlab.zendesk.com/agent/tickets/43298
See merge request !7002
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
|
|
|
|
|
|
| |
Restore unauthenticated access to public container registries
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284
/cc @stanhu @kamil @pablo
See merge request !2025
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixups to "Round-robin repository storage"
## What does this MR do?
* Simplifies a method in application_settings.rb
* Correctly marks a migration as needing downtime
* Documents the requirement for renamed columns to be
## Are there points in the code the reviewer needs to double check?
Should any of these changes be split out? Ideally we'd get this into the same point release as !7273
## Why was this MR needed?
Post-facto review of !7273
## Screenshots (if relevant)
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [X] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [X] API support added
- Tests
- [X] Added for this feature/bug
- [x] All builds are passing
- [X] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Related to #24059
/cc @yorickpeterse @rspeicher
See merge request !7287
|
|
|
|
|
|
|
|
|
|
| |
Show pipeline status from branch and commit than only commit
Closes #23615
See merge request !7034
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolve "Introduce round-robin project creation to spread load over multiple shards"
Allow multiple shards to be enabled in the admin settings page, balancing project creation across all enabled shards.
* `f.select ..., multiple: true` isn't the most beautiful UI in the world, but switching to `collection_check_boxes` (or a facsimile thereof) isn't trivial
* Should `pick_repository_storage` be a method of `ApplicationSetting`, or `Project`? It's going to accrete logic over time so perhaps it should be its own class already?
* This is written to avoid the need for a database migration, so it is`serialize :repository_storage` without `, Array`. This is tested, but alternatives include:
* Add a database migration
* Write a custom Coder that will accept a String or Array in `load` and always `dump an Array.
Closes #24059
See merge request !7273
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
| |
See merge request !7014
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Fix lightweight tags not processed correctly by GitTagPushService
Closes #22271
See merge request !6532
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
'24102-cannot-unselect-remove-source-branch-when-editing-merge-request' into 'master'
Fixes #24102
See merge request !7267
|
|
|
|
|
|
|
| |
Only skip group when it's actually a group in the "Share with group" select
Fixes #23961
See merge request !7262
|
|
|
|
|
|
|
|
|
|
| |
Fix project features default values
closes #23242
See merge request !7181
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Fix builds tab visibility
closes #23951
See merge request !7178
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Optimize group labels page
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23684
Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/1148
See merge request !7123
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow owners to fetch source code in CI builds
Due to different way of handling owners of a project, they were not allowed to fetch CI sources for project.
This adds a separate code path for handling owners, that are not admins.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23437
See merge request !6943
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
| |
Respect project visibility settings in the contributions calendar
This MR fixes a number of bugs relating to access controls and date selection of events for the contributions calendar
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23403
See merge request !2019
|
|
|
|
|
|
|
| |
Ensure external users are not able to clone disabled repositories.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23788
See merge request !2017
|