summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'jej-note-search-uses-finder' into 'security' Douwe Maan2016-12-152-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix missing Note access checks in by moving Note#search to updated NoteFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### Note lookup without access check - [x] :white_check_mark: app/finders/notes_finder.rb:13 :download_code check - [x] :white_check_mark: app/finders/notes_finder.rb:19 `SnippetsFinder` - [x] :white_check_mark: app/models/note.rb:121 [`Issue#visible_to_user`] - [x] :white_check_mark: lib/gitlab/project_search_results.rb:113 - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`. - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked. ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223 ### Acceptance criteria met? - [x] Tests added for new code - [x] TODO comments removed - [x] Squashed and removed skipped tests - [x] Changelog entry - [ ] State Gitlab versions affected and issue severity in description - [ ] Create technical debt issue for NotesFinder. - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two. - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)` - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes` See merge request !2035
* Merge branch 'katex-math' into 'master' Sean McGivern2016-12-155-1/+105
|\ | | | | | | | | | | | | Render math in Asciidoc and Markdown with KaTeX using code blocks Closes #13690 and #13180 See merge request !8003
| * Render math in Asciidoc and Markdown with KaTeX using code blocksMunken2016-12-147-35/+87
| |
| * Better location for math lexerMunken2016-12-082-22/+21
| |
| * Removed alias and filenamesMunken2016-12-081-2/+0
| |
| * Hacked in Math LexerMunken2016-12-081-0/+27
| |
| * Math works for inline syntaxMunken2016-12-081-2/+0
| |
| * Working inline math filterMunken2016-12-082-0/+30
| |
* | Add Gitlab::Middleware::MultipartJacob Vosmaer2016-12-153-2/+122
| |
* | Introduce deployment services, starting with a KubernetesServiceNick Thomas2016-12-142-0/+36
| |
* | Merge branch 'build-statuses' into 'master' Rémy Coutable2016-12-1416-43/+284
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Detailed build statuses ## What does this MR do? Implements detailed statuses for `Ci::Builds` and `CommitStatus`. It also adds a new icon for manual build. ## Screenshots ![manual_builds_icon](/uploads/22b5c594350856c85398ef705a635f8b/manual_builds_icon.png) ## What are the relevant issue numbers? See #24273, closes #22642 See merge request !7989
| * | Remove trailing blank line from Allowable moduleGrzegorz Bizon2016-12-141-1/+0
| | |
| * | Make it possible to mix `Gitlab::Routing` inGrzegorz Bizon2016-12-132-1/+7
| | |
| * | Extract abilities checking module from ability modelGrzegorz Bizon2016-12-132-1/+9
| | |
| * | Refine build stop/play extended status specsGrzegorz Bizon2016-12-131-4/+4
| | |
| * | Use manual build icon in play/stop build statusesGrzegorz Bizon2016-12-132-4/+12
| | |
| * | Add specs for build stop extended detailed statusGrzegorz Bizon2016-12-121-4/+0
| | |
| * | Fix build stop extended status CSS classGrzegorz Bizon2016-12-121-4/+0
| | |
| * | Fix path to build status details in common helpersGrzegorz Bizon2016-12-121-1/+1
| | |
| * | Add action_class/action_titleKamil Trzcinski2016-12-125-3/+30
| | |
| * | Fix auto loading of constants for Ci StatusesKamil Trzcinski2016-12-124-5/+5
| | |
| * | Fix some detailed statuses specs related to abilitiesGrzegorz Bizon2016-12-122-1/+2
| | |
| * | Incorporate permission checks into new CI statusesGrzegorz Bizon2016-12-1211-49/+60
| | | | | | | | | | | | [ci skip]
| * | Refactor ci status factories to DRY code a littleGrzegorz Bizon2016-12-125-29/+28
| | |
| * | Check permission of detailsKamil Trzcinski2016-12-124-7/+7
| | |
| * | Introduce `cancelable` and `returnable` [ci skip]Kamil Trzcinski2016-12-125-35/+64
| | |
| * | Improve actionsKamil Trzcinski2016-12-124-18/+106
| | |
| * | Added Ci::Status::BuildKamil Trzcinski2016-12-123-3/+76
| | |
* | | Merge branch 'api-cherry-pick' into 'master' Rémy Coutable2016-12-131-1/+35
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds the ability to cherry pick a commit via the API. Right now it only supports to directly cherry pick a commit and not starting a MR from it. Shall we do that also for the API? Closes #25450 See merge request !8047
| * | | API: Ability to cherry-pick a commitRobert Schilling2016-12-131-1/+35
| |/ /
* | | Merge branch '25482-fix-api-sudo' into 'master' Sean McGivern2016-12-132-54/+77
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | API: Memoize the current_user so that the sudo can work properly Closes #25482 See merge request !8017
| * | | Be smarter when finding a sudoed user in API::Helpers25482-fix-api-sudoRémy Coutable2016-12-131-13/+11
| | | | | | | | | | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
| * | | API: Memoize the current_user so that the sudo can work properlyRémy Coutable2016-12-122-54/+79
| |/ / | | | | | | | | | | | | | | | | | | | | | The issue was arising when `#current_user` was called a second time after a user was impersonated: the `User#is_admin?` check would be performed on it and it would fail. Signed-off-by: Rémy Coutable <remy@rymai.me>
* | | Merge branch 'api-simple-group-project' into 'master' Rémy Coutable2016-12-131-1/+4
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | API: Ability to get group's project in simple representation Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25412 See merge request !8060
| * | | API: Ability to get group's project in simple representationapi-simple-group-projectRobert Schilling2016-12-131-1/+4
| | | |
* | | | Merge branch 'dz-create-routes-lower-index' into 'master' Dmitriy Zaporozhets2016-12-131-0/+4
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add index to routes table on lower path for postgresql Improve performance of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7121 See merge request !8041
| * | | | Add AddLowerPathIndexToRoutes to setup_postgresql.rakeDmitriy Zaporozhets2016-12-131-0/+4
| | |/ / | |/| | | | | | | | | | Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
* | | | Merge branch 'allow-more-filenames' into 'master' Rémy Coutable2016-12-131-2/+2
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow all alphanumeric characters in file names ## What does this MR do? Allow more characters in file names such as Chinese symbols. ## Why was this MR needed? It is annoying that some files which can be uploaded using Git CLI cannot be created with the web editor. ## What are the relevant issue numbers? fixes #20190 See merge request !8002
| * | | | Allow all alphanumeric characters in file names (!8002)winniehell2016-12-131-2/+2
| | |/ / | |/| |
* | | | Merge branch 'dz-nested-group-improvements-2' into 'master' Sean McGivern2016-12-131-1/+1
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Minor improvements to nested groups code See merge request !8011
| * | | | Rename Routable.where_paths_in to Routable.where_full_path_indz-nested-group-improvements-2Dmitriy Zaporozhets2016-12-111-1/+1
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
* | | | | Merge branch 'api-dont-allow-blank-mr-titles' into 'master' Sean McGivern2016-12-131-2/+2
|\ \ \ \ \ | |_|/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | Don't allow blank MR titles in API Closes #25033 See merge request !7848
| * | | | Don't allow blank MR titles in APIapi-dont-allow-blank-mr-titlesRobert Schilling2016-12-131-2/+2
| | |/ / | |/| |
* | | | Merge branch 'grapify-service-api' into 'master' Rémy Coutable2016-12-122-65/+572
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Grapify the service API Related to #22928 See merge request !7970
| * | | | Grapify the service APIRobert Schilling2016-12-092-65/+572
| | | | |
* | | | | Merge branch 'unescape-relative-path' into 'master' Gabriel Mazetto2016-12-121-8/+6
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid escaping relative links in Markdown twice ## What does this MR do? Avoid escaping relative links in Markdown twice. ## Why was this MR needed? Relative links with special characters (e.g. spaces) were escaped twice. ## What are the relevant issue numbers? closes #25191, #25318 See merge request !7940
| * | | | | Avoid escaping relative links in Markdown twice (!7940)winniehell2016-12-121-8/+6
| | | | | |
* | | | | | Merge branch 'api-fix-group-projects-filter' into 'master' Rémy Coutable2016-12-121-1/+10
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Add the project filter to the groups endpoint. Related to #22928. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25420 See merge request !8034
| * | | | | | API: Fix groups filterRobert Schilling2016-12-121-1/+10
| | | | | | |
* | | | | | | Merge branch 'issue_25030' into 'master' Sean McGivern2016-12-121-8/+8
|\ \ \ \ \ \ \ | |_|_|_|/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow branch names with dots on API endpoint closes #25030 See merge request !7963
View Lorry Controller Status