| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
'12-5-stable'
Related Branches Visible to Guests in Issue Activity
See merge request gitlab/gitlabhq!3538
|
| | |
| |
| |
| |
| | |
Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3491
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
See merge request gitlab/gitlabhq!3488
|
| | |/
| |
| |
| |
| |
| | |
Open Redirect issue.
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in a project members' list. Add tests for possible scenarios
Re-factor and remove N + 1 queries
Remove author from changelog
Don't use memoisation when not needed
Include users part of parents of project's group
Re-factor tests
Create and add users according to roles
Re-use group created earlier
Add incomplete test for ancestoral groups
Rename method to clarify category of groups
Skip pending test, remove comments not needed
Remove extra line
Include ancestors from invited groups as well
Add specs for participants service
Add more specs
Add more specs
use instead of
Use public group owner instead of project maintainer to test owner acess
Remove tests that have now been moved into participants_service_spec
Use :context instead of :all
Create nested group instead of creating an ancestor separately
Add comment explaining doubt on the failing spec
Imrpove test setup
Optimize sql queries
Refactor specs file
Add rubocop disablement
Add special case for project owners
Add small refactor
Add explanation to the docs
Fix wording
Refactor group check
Add small changes in specs
Add cr remarks
Add cr remarks
Add specs
Add small refactor
Add code review remarks
Refactor for better database usage
Fix failing spec
Remove rubocop offences
Add cr remarks
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
'12-3-stable'
Prevent Bypassing Email Verification using Salesforce
See merge request gitlab/gitlabhq!3395
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix rubocop offences and add changelog
Add email_verified key for feature specs
Add code review remarks
Add code review remarks
Fix specs
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'12-3-stable'
Check that SAML identity linking validates the origin of the request
See merge request gitlab/gitlabhq!3396
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
If the request wasn't initiated by gitlab we shouldn't add the new
identity to the user, and instead show that we weren't able to link
the identity to the user.
This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-3' into '12-3-stable'
Display only participants that user has permission to see
See merge request gitlab/gitlabhq!3421
|
| | |/ |
|
| |\ \
| | |
| | |
| | |
| | | |
Redirect user to root path after unsubscribing from private resource
See merge request gitlab/gitlabhq!3423
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.
https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'security-12718-project-milestones-disclosed-via-groups-12-3-ce' into '12-3-stable'
Hide disabled project milestones in project settings on group level
See merge request gitlab/gitlabhq!3424
|
| | |/ |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Enable serving static objects from an external storage
See merge request gitlab-org/gitlab-ce!31025
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It consists of two parts:
1. Redirecting users to the configured external storage
1. Allowing the external storage to request the static object(s)
on behalf of the user by means of specific tokens
Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Optimize /admin/applications so that it does not timeout
Closes #67228
See merge request gitlab-org/gitlab-ce!32852
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On our dev instance, /admin/applications as not loading because:
1. There was an unindexed query by `application_id`.
2. There was an expensive query that attempted to load 1 million
unique entries via ActiveRecord just to find the unique count.
We fix the first issue by adding an index for that column.
We fix the second issue with a simple SELECT COUNT(DISTINCT
resource_owner_id) SQL query.
In addition, we add pagination to avoid loading more than 20
applications at once.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/67228
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
Optimize queries for snippet listings
See merge request gitlab-org/gitlab-ce!32576
|
| | |/ /
| | |
| | |
| | |
| | |
| | | |
We had similar code in a few places to redirect to the last page if
the given page number is out of range. This unifies the handling in a
new controller concern and adds usage of it in all snippet listings.
|
| |\ \ \
| |/ /
| | |
| | | |
camilstaps/gitlab-ce-new-66023-public-private-fork-counts
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Create HAML UI select a cloud provider to create a cluster.
- Add query param to :new cluster view to display a specific cluster
provider form depending on the value of the provider query param.
- Update unit tests and e2e tests to reflect these changes
|
