| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Enable frozen string in app/graphql + app/finders
See merge request gitlab-org/gitlab-ce!21681
|
| | |
| |
| |
| | |
Partially addresses #47424.
|
| |/
|
|
|
| |
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
|
| |
|
|
| |
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- The issue filtering frontend code needs access to this API for non-logged-in
users + public projects. It uses the API to fetch information for a user by
username.
- We don't authenticate this API anymore, but instead - if the `current_user` is
not present:
- Verify that the `username` parameter has been passed. This disallows an
unauthenticated user from grabbing a list of all users on the instance. The
`UsersFinder` class performs an exact match on the `username`, so we are
guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly
by calling `can?(current_user, :read_user, user)`
|
| |
|
