summaryrefslogtreecommitdiff
path: root/app
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'ce-reduce-diff-in-groups-create_service' into 'master'dastor-update-AWS-instructionsDouglas Barbosa Alexandre2019-02-011-0/+6
|\ | | | | | | | | Reduce diff with EE in Groups::CreateService See merge request gitlab-org/gitlab-ce!24871
| * Reduce diff with EE in Groups::CreateServiceRémy Coutable2019-02-011-0/+6
| | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* | Merge branch 'ee-1979-blobs-at' into 'master'Douwe Maan2019-02-011-0/+2
|\ \ | | | | | | | | | | | | Fix migration when project repository is missing See merge request gitlab-org/gitlab-ce!24859
| * | Fix migration when project repository is missingMark Chao2019-02-011-0/+2
| | | | | | | | | | | | | | | The data migration looks for code owner file and errs if repository is missing.
* | | Merge branch 'ce-reduce-diff-in-pipeline_trigger_service' into 'master'Douglas Barbosa Alexandre2019-02-011-0/+10
|\ \ \ | |_|/ |/| | | | | | | | Reduce diff with EE in Ci::PipelineTriggerService See merge request gitlab-org/gitlab-ce!24866
| * | Reduce diff with EE in Ci::PipelineTriggerServiceRémy Coutable2019-02-011-0/+10
| |/ | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* | adding a spec for issues/310Mesut Güneş2019-02-013-4/+4
|/
* Fix cluster installation processing spinner (reopened)Jacques Erasmus2019-02-013-48/+42
|
* Merge branch 'winh-position-helpers' into 'master'Clement Ho2019-02-011-0/+6
|\ | | | | | | | | Add CSS helper classes for positioning See merge request gitlab-org/gitlab-ce!24821
| * Add CSS helper classes for positioningWinnie Hellmann2019-01-311-0/+6
| |
* | Merge branch 'qa-github-oauth-login-test-2' into 'master'Rémy Coutable2019-02-012-1/+8
|\ \ | | | | | | | | | | | | Add e2e QA test for logging in using Github OAuth See merge request gitlab-org/gitlab-ce!24817
| * | Add e2e QA test for logging in using GitHub OAuthSanad Liaquat2019-02-012-1/+8
| | | | | | | | | | | | | | | Adds the test itself and the vendor page object model for GitHub login pages.
* | | Remove d3 metrics graphAdriel Santiago2019-02-0114-1266/+2
|/ /
* | fix(settings): Adjusted vertical alignment of visibility iconsMartin Hobert2019-01-311-0/+2
| |
* | Merge branch 'qa-ml-fix-create-wiki-spec' into 'master'Dan Davison2019-01-313-7/+7
|\ \ | | | | | | | | | | | | | | | | | | Fix flaky wiki create test Closes gitlab-org/quality/nightly#24 See merge request gitlab-org/gitlab-ce!24778
| * | Fix flaky wiki create testMark Lapierre2019-01-293-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's an svg on the page that allows you to create a wiki page. The svg takes a fraction of a second to load after which the "Create your first page" button shifts up a bit. This can cause webdriver to miss the hit so we wait for the svg to load before clicking the button. Also update the elements used in the test to conform to our best practice. And replace `act` with `perform` Finally, remove the `before` block and `login` method, making the code slightly simpler.
* | | [master] Pipelines section is available to unauthorized usersKamil Trzciński2019-01-3118-39/+93
| | |
* | | [master] Check access rights when creating/updating ProtectedRefsFrancisco Javier López2019-01-311-8/+0
| | |
* | | Add subresources removal to member destroy serviceJames Lopez2019-01-316-4/+50
| | |
* | | Stop showing ci for guest usersSteve Azzopardi2019-01-311-1/+1
| | | | | | | | | | | | | | | | | | When a user is a guest user, and the "Public Pipeline" is set to false inside of "Settings > CI/CD > General" the commit status in the project dashboard should not be shown.
* | | Sent notification only to authorized usersJan Provaznik2019-01-313-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When moving a project, it's possible that some users who had access to the project in old path can not access the project in the new path. Because `project_authorizations` records are updated asynchronously, when we send the notification about moved project the list of project team members contains old project members, we want to notify all these members except the old users who can not access the new location.
* | | Use sanitized user status message for user popoverDennis Tang2019-01-311-4/+4
| | |
* | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-312-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
* | | Verify that LFS upload requests are genuineNick Thomas2019-01-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
* | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-311-16/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
* | | Use `sanitize_name` to sanitize URL in user full nameKushal Pandya2019-01-3136-51/+51
| | |
* | | Prevent comments by email when issue is lockedHeinrich Lee Yu2019-01-314-14/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
* | | Add `sanitize_name` helper to sanitize URLs in user full nameKushal Pandya2019-01-311-0/+8
| | |
* | | Bump the CACHE_COMMONMARK_VERSIONBrett Walker2019-01-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Since we needed to bump the version to 13 in the backports, and we know that an MR on master also bumped it to 13, bump to 14 to ensure that when a customer upgrades to the most recent release, the markdown gets recalcuated as necessary.
* | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-314-45/+107
| | |
* | | Group Guests are no longer able to see merge requestsTiago Botelho2019-01-313-11/+38
| | | | | | | | | | | | | | | | | | | | | Group guests will only be displayed merge requests to projects they have a access level to, higher than Reporter. Visible projects will still display the merge requests to Guests
* | | Fixed bug when external wiki is enabledFrancisco Javier López2019-01-317-23/+31
| | | | | | | | | | | | | | | | | | | | | | | | When the external wiki is enabled, the internal wiki link is replaced by the external wiki url. But the internal wiki is still accessible. In this change the external wiki will have its own tab in the sidebar and only if the services are disabled the tab (and access rights) will not be displayed.
* | | Present all pipeline triggers using trigger presenterGrzegorz Bizon2019-01-312-1/+3
| | |
* | | Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-314-5/+24
| | |
* | | Prevent award_emoji to notes not visible to userHeinrich Lee Yu2019-01-311-0/+1
| | | | | | | | | | | | | | | When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes
* | | Use common error for unauthenticated usersHeinrich Lee Yu2019-01-311-9/+1
| | | | | | | | | | | | Removes special error message when creating new issues
* | | Fix slow project reference pattern regexHeinrich Lee Yu2019-01-311-0/+1
| | |
* | | Don't process MR refs for guests in the notesOswaldo Ferreira2019-01-311-1/+1
| | |
* | | Fix contributed projects finder shown private infoJames Lopez2019-01-311-0/+7
| | |
* | | Fix path disclosure on Project ImportJames Lopez2019-01-312-2/+24
| | |
* | | Merge branch 'kp-add-ignore-rules-for-object-convert-util' into 'master'Fatih Acet2019-01-311-2/+24
|\ \ \ | | | | | | | | | | | | | | | | Support for ignore rules in 'convertObjectPropsToCamelCase' helper See merge request gitlab-org/gitlab-ce!24790
| * | | Support for ignore rules in 'convertObjectPropsToCamelCase' helperKushal Pandya2019-01-311-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Does following enhancements to `convertObjectPropsToCamelCase` helper; - Adds support for `dropKeys` within options param to discard properties. - Adds support for `allowKeys` within options param to skip converting property names.
* | | | Add nyc coverage regex to example pattern listDan Quist2019-01-311-0/+3
| | | |
* | | | Merge branch '24875-label' into 'master'Kushal Pandya2019-01-311-1/+12
|\ \ \ \ | |/ / / |/| | | | | | | | | | | | | | | | | | | Append prioritized label before pagination Closes #24875 See merge request gitlab-org/gitlab-ce!24815
| * | | Append prioritized label before paginationRajat Jain2019-01-311-1/+12
| | | |
* | | | Update Sentry client to get project listReuben Pereira2019-01-312-0/+14
| | | |
* | | | Merge branch 'hnk-master-patch-61932' into 'master'Filipa Lacerda2019-01-312-4/+4
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update runner admin page to make description field larger Closes #54639 See merge request gitlab-org/gitlab-ce!23593
| * | | | Update runner admin page to make description field largerSascha Reynolds2019-01-302-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the table with for the desciption and version fields to make the runner descriptions more readable. added changelog
* | | | | Merge branch 'tz-reduce-js-bundle-select2' into 'master'Filipa Lacerda2019-01-319-313/+350
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reduce Bundle Size by making select2 loading optional Closes #56988 See merge request gitlab-org/gitlab-ce!24727
| * | | | | Wraps Select 2 Import into its own webpack bundleTim Zallmann2019-01-299-313/+350
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wraps all imports for select 2 to deferred imports, especially in the main.js we are actually checking if there is any select 2 element on the page or not.
View Lorry Controller Status