| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| |
| | |
'11-11-stable'
Don't display badges when builds are restricted
See merge request gitlab/gitlabhq!3186
|
| |
| |
| |
| |
| |
| |
| |
| | |
Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.
Added guard clause to the controller to check if user can read
build.
|
|\ \
| | |
| | |
| | |
| | | |
MR pipeline permissions
See merge request gitlab/gitlabhq!3217
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
MergeRequest#all_pipelines
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'11-11-stable'
Drop feature to take ownership of a trigger token
See merge request gitlab/gitlabhq!3228
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
Removing API and frontend interactions that allowed
users to take ownership of a trigger token.
Removed mentions from the documentation.
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'security-2873-restrict-slash-commands-to-users-who-can-log-in-11-11' into '11-11-stable'
Restrict slash commands to users who can log in
See merge request gitlab/gitlabhq!3239
|
| |/ / |
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Filter params in MR build service
See merge request gitlab/gitlabhq!3255
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reusing the existing `IssuableBaseService#filter_params` which uses
the policies to determine what params a user can set, and which values
it can be set to.
This also removed the need for the seperate call to
`IssuableBaseService#ensure_milestone_available`.
The `Issues::BuildService` does not suffer from this because it limits
the params that are assignable to the `title`, `description` and
`milestone_id`.
|
|/ /
| |
| |
| | |
Do not show moved issue id for users that cannot read issue
|
|/ |
|
|\
| |
| |
| |
| | |
Ability to write a note in a private snippet
See merge request gitlab/gitlabhq!3141
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.
This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'security-prevent-detection-of-merge-request-template-name-11-11' into '11-11-stable'
Guests can know whether merge request template name exists or not
See merge request gitlab/gitlabhq!3149
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.
When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.
We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.
Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.
https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Persist tmp snippet uploads at users
See merge request gitlab/gitlabhq!3165
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It persist temporary personal snippets under
user/:id namespaces temporarily while creating
a upload record to track it. If an user gets removed
while it's still a tmp upload, it also gets removed.
If the tmp upload is sent, the upload gets moved to
personal_snippets/:id as before. The upload record
also gets updated to the new model type as well.
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'11-11-stable'
Expose merge requests count based on user access
See merge request gitlab/gitlabhq!3168
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Count issues related merge requests based on user access level. And
issue can have related MRs from projects where user does not have
access so the number of related merge requests should be adjusted
based on user's ability to access the related MRs.
https://gitlab.com/gitlab-org/gitlab-ce/issues/59581
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'11-11-stable'
Fix type authorizations in GraphQL
See merge request gitlab/gitlabhq!3173
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
0. Add authorize to LabelType and NamespaceType.
1. Make sure that authorizations on non-nullable fields are also
executed.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix color validation regex causing DoS
See merge request gitlab/gitlabhq!3177
|
| |/ /
| | |
| | |
| | | |
Also prevents ReDoS vulnerability
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Disable Rails SQL query cache when applying service templates
See merge request gitlab/gitlabhq!3180
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the SQL query cache is active, the SELECT query for finding
projects to apply service templates returns the same values. This causes
an infinite loop because even though bulk INSERT queries are made, the
cached results never reflect that progress. To fix this, we call
`Project.uncached` around the query to ensure new data is retrieved.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63595
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix IDE commit to use start_ref
See merge request gitlab-org/gitlab-ce!30079
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
**Why?**
The branch HEAD could be changed since the
IDE was opened. This leads to user's unintentionally
creating commits that overwrite other changes.
https://gitlab.com/gitlab-org/gitlab-ce/issues/59023
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix gl_dropdown scrolling to top on assignee click
See merge request gitlab-org/gitlab-ce!29500
(cherry picked from commit 2a29f910592e82d8f8d108e15497dd2fbbbb07ca)
3130572f Fix gl_dropdown scrolling to top on assignee click
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix Fogbugz Importer not working
Closes #33530
See merge request gitlab-org/gitlab-ce!29383
(cherry picked from commit 895519a83e186071a6144917806250fb8da59036)
1a4d1b05 Fix Fogbugz Importer not working
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add 60s and 5m values to the buckets used by prometheus to measure time
Closes #62113
See merge request gitlab-org/gitlab-ce!28557
(cherry picked from commit 20375f811a6ffa35568d70b97a3793b97231d0dd)
77d5516d Add 60s & 5m monitor buckets for CI queues
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix label click scrolling to top
Closes #61246
See merge request gitlab-org/gitlab-ce!29202
(cherry picked from commit 92b06c13bd12abf85f6beb18b3b5c2f0e38c2760)
c9c7fa7b Fix label click scrolling to top
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert "Disable retrying cancelled jobs"
Closes #62350
See merge request gitlab-org/gitlab-ce!29201
(cherry picked from commit 8501edcd465923c9c6a45abe6c863fc3cd25973a)
e58e24b4 Revert "Merge branch..."
|
|/
|
|
|
|
|
|
|
| |
Revert a default GIT_DEPTH for MR pipeline
See merge request gitlab-org/gitlab-ce!28926
(cherry picked from commit 765917dc088bee52a3f95d76fc7f32d408a2af20)
dbd62232 Revert a default GIT_DEPTH for MR pipeline
|
|
|
|
|
|
|
| |
Fix project settings not being able to update
Closes #62708
See merge request gitlab-org/gitlab-ce!29097
|
|\ |
|
| |\
| | |
| | |
| | |
| | |
| | |
| | | |
'11-11-stable'
Add DNS rebinding protection settings
See merge request gitlab/gitlabhq!3130
|
| | | |
|
| |/ |
|
| |\
| | |
| | |
| | |
| | | |
Disallow invalid MR branch name
See merge request gitlab/gitlabhq!3095
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Prevents refspec as branch name, which would bypass branch protection
when used in conjunction with rebase.
HEAD seems to be a special case with lots of occurrence,
so it is considered valid for now.
Another special case is `refs/head/*`, which can be imported.
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
Hide issue title on unsubscribe for anonymous users
See merge request gitlab/gitlabhq!3099
|
| | | | |
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
'11-11-stable'
Fix confidential issue label disclosure on milestone view
See merge request gitlab/gitlabhq!3102
|
| | | | | |
|
| |\ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
'11-11-stable'
Handling password on import by url page
See merge request gitlab/gitlabhq!3109
|
| | | | | | |
|
| | |/ / / |
|
| |\ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Resolve: Milestones leaked via search API
See merge request gitlab/gitlabhq!3110
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fix milestone titles being leaked using search API
when users cannot read milestones
|