delta/gitlab/gitlab-ce.git - gitlab.com: gitlab-org/gitlab-ce.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Replace '.team << [user, role]' with 'add_role(user)' in specs36782-replace-team-user-role-with-add_role-user-in-specs	blackst0ne	2017-12-22	1	-5/+5
\|
*	Skip projects filter on merge requests searchjprovazn-search	Jan Provaznik	2017-12-21	1	-0/+11
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When searching for merge requests, an additional subquery is added which by default filters only merge requests which belong to source or target project user has permission for. This filter is not needed because more restrictive filter which checks if user has permission for target project is used in the query. So unless a custom projects filter is used by user, it's possible to skip the default projects filter and speed up the final query. Related to #40540
*	Add a project forks spec helper	Bob Van Landuyt	2017-10-07	1	-1/+3
\| \| \| \| \|	The helper creates a fork of a project with all provided attributes, but skipping the creation of the repository on disk.
*	Change all `:empty_project` to `:project`rs-empty_project-default	Robert Speicher	2017-08-02	1	-7/+7
\|
*	Backport of multiple_assignees_feature [ci skip]	Valery Sizov	2017-05-04	1	-2/+2
\|
*	Use `:empty_project` where possible throughout spec/librs-empty_project-lib	Robert Speicher	2017-01-25	1	-1/+1
\|
*	Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security'	Douwe Maan	2016-12-08	1	-0/+16
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :bomb: app/finders/notes_finder.rb:17 - [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x] :bomb: app/controllers/concerns/creates_commit.rb:84 - [x] :traffic_light: app/controllers/projects/commits_controller.rb:24 - [x] :traffic_light: app/controllers/projects/compare_controller.rb:56 - [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29 - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27 - [x] :vertical_traffic_light: app/models/commit.rb:268 - [x] :white_check_mark: lib/gitlab/search_results.rb:71 - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033
*	Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'	Douwe Maan	2016-11-28	1	-19/+32
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### Issue lookup with access check Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`] - [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`] ### Previous discussions - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031
*	Clean up search result classesclean_up_search_classes	Valery Sizov	2016-09-06	1	-18/+0
\|
*	adds second batch of tests changed to active tenseactive-tense-test-coverage	tiagonbotelho	2016-08-09	1	-6/+6
\|
*	Project members with guest role can't access confidential issues	Douglas Barbosa Alexandre	2016-06-13	1	-0/+16
\|
*	Restrict access to confidential issues on search results	Douglas Barbosa Alexandre	2016-03-17	1	-1/+90
\|
*	Refactor Gitlab::SearchResults	Yorick Peterse	2016-03-11	1	-0/+55
	Instead of plucking IDs this class now uses ActiveRecord::Relation objects. Plucking IDs is problematic as searching for projects can lead to a huge amount of IDs being loaded into memory only to be used as an argument for another query (instead of just using a sub-query).