| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\
| |
| |
| |
| |
| |
| | |
ProjectsFinder should handle more options
Closes #28810
See merge request !9682
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Extended ProjectFinder in order to handle the following options:
- current_user - which user use
- project_ids_relation: int[] - project ids to use
- params:
- trending: boolean
- non_public: boolean
- starred: boolean
- sort: string
- visibility_level: int
- tags: string[]
- personal: boolean
- search: string
- non_archived: boolean
GroupProjectsFinder now inherits from ProjectsFinder.
Changed the code in order to use the new available options.
|
|/
|
|
|
| |
Fix for three open redirect vulns using redirect_to url_for(params.merge)))
See merge request !2082
|
|
|
| |
This reverts merge request !10076
|
| |
|
|\
| |
| |
| |
| | |
Speed up several project lists
See merge request !9903
|
| | |
|
|/
|
|
|
|
| |
Added the ability to 'Undo mark all as done' todos marked as complete with 'Mark all as done'
in the 'Todo' tab of the Todo dashboard.
The operation undos only the todo previously marked as done with the 'Mark al as done' button.
|
| |
|
|
|
|
| |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
| |
The Done button will change to an Undo button and the line item will be greyed out.
Bold links will be unbolded.
The user can undo the task by clicking the Undo button.
|
|
|
|
|
|
| |
Also, don't use limit in subquery, MySQL don't like that.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
|
|
|
| |
Dashboard::ProjectsController#index
|
|
|
|
|
|
|
|
|
|
|
| |
authorized projects
It improves performance in dashboard milestone index page by passing a
hint to "IssuesFinder". "IssuesFinder" generates a more performant query
when it is limited to authorized projects for user.
In the dashboard we already limit the projects to these authorized for
user (see "Dashboard::ApplicationController#projects"), so we can safely
pass this option to "IssuesFinder".
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Todos sorting dropdown
Implements #18135
![todos_sorting](/uploads/bff76827c421628134dfb8b864e47c74/todos_sorting.png)
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5691
|
| | |
|
| | |
|
| |
| |
| |
| | |
Follow-up on 52b0c26
|
|/ |
|
|
|
|
|
|
|
| |
We’re being kept up to date the counter data but we’re not using it.
The only thing which is not real if is the number of projects that the
user read changes the number of todos can be stale for some time.
The counters will be sync just after the user receives a new todo or mark any as done
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.
Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.
Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...
My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.
Now they are all secure.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
|
|
|
|
| |
- As todos are created/updated inside the TodoService
we repopulate the cache just there for both pending/done todos
- Todos as mark as done from the TodosController we update cache
there too
- All the added methods are kept in the User class for cohesion
|
|\
| |
| |
| | |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
| |
| |
| |
| |
| | |
`render nothing: true` has been deprecated.
For more information see [pr](https://github.com/rails/rails/pull/20336)
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Restrict starred projects to viewable ones
`User#starred_projects` doesn't perform any visibility checks. This has
a couple of problems:
1. It assumes a user can always view all of their starred projects in
perpetuity (project not changed to private, access revoked, etc.).
2. It assumes that we'll only ever allow a user to star a project they
can view. This is currently the case, but bugs happen.
Add `User#viewable_starred_projects` to filter the starred projects by
those the user either has explicit access to, or are public or
internal. Then use that in all places where we list the user's starred
projects.
Closes #17249.
See merge request !4108
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`User#starred_projects` doesn't perform any visibility checks. This has
a couple of problems:
1. It assumes a user can always view all of their starred projects in
perpetuity (project not changed to private, access revoked, etc.).
2. It assumes that we'll only ever allow a user to star a project they
can view. This is currently the case, but bugs happen.
Add `User#viewable_starred_projects` to filter the starred projects by
those the user either has explicit access to, or are public or
internal. Then use that in all places where we list the user's starred
projects.
|
|/ / |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Removes the group if empty
|
|/
|
|
|
| |
Fixes #13656
A good first step and boring solution.
|
| |
|
|
|
|
| |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
|
|
|
|
|
| |
default""
This reverts commit 617bb1096deb1fb5dea66d04b9bbd7da0dfb57ba.
|