| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3454
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
| |
Prefer `json_response` where applicable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the Housekeeping button and API would use the counter of last
pushes to determine whether to do a full garbage collection, or whether
to do one of the less comprehensive tasks: a full repack, incremental
pack, or ref pack. This was confusing behavior, since a project owner
might have to click the button dozens of times before a full GC would be
initiated.
This commit forces a full GC each time this is initiated. Note that the
`ExclusiveLease` in `HousekeepingService` prevents users from clicking
on the button more than once a day.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63349
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Adds frozen string to the following:
* spec/bin/**/*.rb
* spec/config/**/*.rb
* spec/controllers/**/*.rb
xref https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
|
| |
|
|
| |
spec/features/groups/group_page_with_external_authorization_service_spec to EE
|
| |\
| |
| |
| |
| | |
Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'"
See merge request gitlab-org/gitlab-ce!27051
|
| | |
| |
| | |
This reverts merge request !26823
|
| |/
|
|
|
| |
This reduces a handful of duplicate FindCommit calls while viewing the
projects and commits pages.
|
| |
|
|
| |
spec/features/groups/group_page_with_external_authorization_service_spec to EE
|
| |
|
|
|
| |
- added suggestions to mock data
- fixed props to be not required
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
|
|
|
|
| |
By visiting `projects/:id` you will be redirected to project page with
path in it.
projects/123 => foo/bar
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
| | |
|
| |
|
|
|
|
| |
Adds download_code authorization check to ProjectsController#refs
action, to prevent a project guest from seeing branch, tags and
commits information
|
| |
|
|
|
|
|
|
|
|
| |
Updates specs to use new rails5 format.
The old format:
`get :show, { some: params }, { some: headers }`
The new format:
`get :show, params: { some: params }, headers: { some: headers }`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a project is forked, the new repository used to be a deep copy of everything
stored on disk by leveraging `git clone`. This works well, and makes isolation
between repository easy. However, the clone is at the start 100% the same as the
origin repository. And in the case of the objects in the object directory, this
is almost always going to be a lot of duplication.
Object Pools are a way to create a third repository that essentially only exists
for its 'objects' subdirectory. This third repository's object directory will be
set as alternate location for objects. This means that in the case an object is
missing in the local repository, git will look in another location. This other
location is the object pool repository.
When Git performs garbage collection, it's smart enough to check the
alternate location. When objects are duplicated, it will allow git to
throw one copy away. This copy is on the local repository, where to pool
remains as is.
These pools have an origin location, which for now will always be a
repository that itself is not a fork. When the root of a fork network is
forked by a user, the fork still clones the full repository. Async, the
pool repository will be created.
Either one of these processes can be done earlier than the other. To
handle this race condition, the Join ObjectPool operation is
idempotent. Given its idempotent, we can schedule it twice, with the
same effect.
To accommodate the holding of state two migrations have been added.
1. Added a state column to the pool_repositories column. This column is
managed by the state machine, allowing for hooks on transitions.
2. pool_repositories now has a source_project_id. This column in
convenient to have for multiple reasons: it has a unique index allowing
the database to handle race conditions when creating a new record. Also,
it's nice to know who the host is. As that's a short link to the fork
networks root.
Object pools are only available for public project, which use hashed
storage and when forking from the root of the fork network. (That is,
the project being forked from itself isn't a fork)
In this commit message I use both ObjectPool and Pool repositories,
which are alike, but different from each other. ObjectPool refers to
whatever is on the disk stored and managed by Gitaly. PoolRepository is
the record in the database.
|
| |
|
|
|
| |
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
|
| |
|
|
|
|
| |
Updated docs, refactor import/export code
Fix AvatarUploader path issue
Fix project export upload webhook error
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
Create merge request from email
Closes #32878
See merge request gitlab-org/gitlab-ce!13817
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* new merge request can be created by sending an email to the specific
email address (similar to creating issues by email)
* for the first iteration, source branch must be specified in the mail
subject, other merge request parameters can not be set yet
* user should enable "Receive notifications about your own activity" in
user settings to receive a notification about created merge request
Part of #32878
|
