summaryrefslogtreecommitdiff
path: root/spec/requests
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'security-makrdown-release-description-vulnerability' into 'master'Yorick Peterse2019-02-061-0/+25
|\ | | | | | | | | [master] Markdown of release notes leaks confidential issue titles and MR titles to any users See merge request gitlab/gitlabhq!2869
| * Fix Markdown of release notesShinya Maeda2019-01-301-0/+25
| | | | | | | | | | | | | | | | | | | | It was leaings confidential issue titles and MR titles to any users Fix spec Fix spec Fix tests
| * Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-241-5/+18
| |\ | | | | | | | | | | | | | | | | | | [master] Verify that LFS upload requests are genuine Closes #2767 See merge request gitlab/gitlabhq!2767
| | * Verify that LFS upload requests are genuineNick Thomas2019-01-221-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
| * | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-241-5/+9
| |\ \ | | |/ | |/| | | | | | | [master] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2735
| | * Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-151-5/+9
| | |
* | | Merge branch ↵Stan Hu2019-02-051-0/+114
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'rd-update-last_activity_on-on-logins-and-browsing-activity-54947' into 'master' Update User's last_activity_on for any GET request on projects Closes #54947 See merge request gitlab-org/gitlab-ce!24642
| * | | Update last_activity_on for Users on some main GET endpointsRubén Dávila2019-02-051-0/+114
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to have an accurate date about the last activity of a User we need to update the last_activity_on field when the User is visiting some basic pages of GitLab like pages related to Dashboards, Projects, Issues and Merge Requests
* | | | Merge branch 'sh-encode-content-disposition' into 'master'Sean McGivern2019-02-053-4/+4
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Encode Content-Disposition filenames Closes #47673 See merge request gitlab-org/gitlab-ce!24919
| * | | | Encode Content-Disposition filenamesStan Hu2019-02-043-4/+4
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users downloading non-ASCII attachments would see garbled characters. When used with object storage, AWS S3 would return an InvalidArgument error: Header value cannot be represented using ISO-8859-1. Per RFC 5987 and RFC 6266, Content-Disposition should be encoded properly. This commit takes the Rails 6 implementation of ActiveSuppport::Http::ContentDisposition (https://github.com/rails/rails/pull/33829) and ports it here. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/47673
* | | | Merge branch 'search-title' into 'master'Sean McGivern2019-02-052-0/+24
|\ \ \ \ | |/ / / |/| | | | | | | | | | | Add 'in' filter that modifies scope of 'search' filter to issues and merge requests API See merge request gitlab-org/gitlab-ce!24350
| * | | Add 'in' filter that modifies scope of 'search' filter to issues and merge ↵Hiroyuki Sato2019-01-142-0/+24
| | | | | | | | | | | | | | | | requests API
* | | | Add programming language filtering to `/projects`Dylan MacKenzie2019-02-041-0/+47
| | | |
* | | | Merge branch '51913-api-getting-projects-for-users-with-dot-gets-404' into ↵Rémy Coutable2019-02-012-3/+12
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'master' API: Support username with dots Closes #51913 See merge request gitlab-org/gitlab-ce!24395
| * | | | API: Support username with dotsRobert Schilling2019-01-152-3/+12
| |/ / /
* | | | Verify that LFS upload requests are genuineNick Thomas2019-01-311-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
* | | | Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-311-5/+9
| | | |
* | | | Merge branch 'bw-enable-sourcepos' into 'master'Robert Speicher2019-01-281-0/+2
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Enable CommonMark source line position information See merge request gitlab-org/gitlab-ce!23971
| * | | | Fix review commentsBrett Walker2019-01-211-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | including refactoring, disabling sourcepos for pipelines that don't need it, and minimizing spec changes by disabling sourcepos when not testing for it explicitly.
| * | | | Enable CommonMark source line position informationBrett Walker2019-01-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds 'data-sourcepos' to tags, indicating which line of markdown it came from. Sets the stage for intelligently manipulating specific lines of markdown.
* | | | | Merge branch 'container-repository-cleanup-api' into 'master'Grzegorz Bizon2019-01-251-0/+224
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Container repository cleanup API Closes #55978 See merge request gitlab-org/gitlab-ce!24303
| * | | | | Add Container Registry APIKamil Trzciński2019-01-251-0/+224
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This includes a set of APIs to manipulate container registry. This includes also an ability to delete tags based on requested criteria, like keep-last-n, matching-name, older-than.
* | | | | | Merge branch '56392-enable-the-layout-extraspacing-cop' into 'master'Lin Jen-Shin2019-01-2417-24/+24
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enable the Layout/ExtraSpacing cop Closes #56392 See merge request gitlab-org/gitlab-ce!24423
| * | | | | | Enable the Layout/ExtraSpacing cop56392-enable-the-layout-extraspacing-copRémy Coutable2019-01-2417-24/+24
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* | | | | | Get remote address for runnerSteve Azzopardi2019-01-241-3/+3
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check if `X-Forwarded-For` is set before getting the IP of the request, with this the real IP address of the runner is shown if it's behind a proxy. closes https://gitlab.com/gitlab-org/gitlab-ce/issues/53676
* | | | | Merge branch 'proof-read' into 'master'Achilleas Pipinellis2019-01-221-2/+2
|\ \ \ \ \ | |_|/ / / |/| | | | | | | | | | | | | | Fix typos in dev & test docu See merge request gitlab-org/gitlab-ce!24539
| * | | | Fix typosKatrin Leinweber2019-01-211-2/+2
| | |/ / | |/| |
* | | | Merge branch 'sh-preload-associations-for-group-api' into 'master'Douwe Maan2019-01-211-0/+14
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Eliminate N+1 queries in /api/groups/:id Closes #49845 See merge request gitlab-org/gitlab-ce!24513
| * | | | Eliminate N+1 queries in /api/groups/:idStan Hu2019-01-191-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/15475/diffs, a significant amount of work went into eliminating N+1 queries in the /api/groups/:id/projects endpoint. We can reuse the `Entities::Project.prepare_relation` call on the projects. In a group with 2,573 projects on GitLab.com, this change significantly improves performance: * 18019 SQL queries down to 21 * Time spent in DB: 70 s down to 384 ms Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/49845
* | | | | Search project tags via APIRobert Schilling2019-01-211-0/+12
| | | | |
* | | | | Merge branch 'raise-on-unfiltered-params' into 'master'Rémy Coutable2019-01-211-0/+11
|\ \ \ \ \ | |/ / / / |/| | | | | | | | | | | | | | Set ActionController raise_on_unfiltered_parameters to true See merge request gitlab-org/gitlab-ce!24443
| * | | | Actually set raise_on_unfiltered_parameters to trueJasper Maes2019-01-161-0/+11
| | | | |
* | | | | Merge branch 'api-nested-group-permission' into 'master'Nick Thomas2019-01-181-0/+34
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Return the maximum group access level in the projects API Closes #43684 See merge request gitlab-org/gitlab-ce!24403
| * | | | | Return max group access level in the projects APIAlejandro Rodríguez2019-01-161-0/+34
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if a project is inside a nested group and a user doesn't have specific permissions for that group but does have permissions on a parent group the `GET /projects/:id` API call will return the following permissions: ```json permissions: { project_access: null, group_access: null } ``` It could also happen that the group specific permissions are of lower level than the ones the user has in parent groups. This patch makes it so that the permission returned for `group_access` is the highest from amongst the hierarchy, which is (ostensibly) the information that the API user is interested in for that field.
* | | | | API for importing external reposBen2019-01-171-0/+56
| |/ / / |/| | |
* | | | Merge branch 'shared_with_group_path' into 'master'Nick Thomas2019-01-161-0/+2
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Add group ful path to project's shared_with_groups See merge request gitlab-org/gitlab-ce!24052
| * | | | Add group full path to project's shared_with_groupsMathieu Parent2019-01-151-0/+2
| |/ / /
* | | | Merge branch 'zj-feature-gate-set-project-path' into 'master'Kamil Trzciński2019-01-161-0/+34
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Allow setting of feature gates per project See merge request gitlab-org/gitlab-ce!24184
| * | | | Allow setting of feature gates per projectZeger-Jan van de Weg2019-01-141-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For features the feature gates are sometimes projects, not groups or users. For example for git object pools: https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5872 This commit allows for setting feature group gates based on projects, by its path as that seems most convenient.
* | | | | API: Fix default branch protection setting for Admin APIRobert Schilling2019-01-151-1/+3
| |_|/ / |/| | |
* | | | API: Support dots in wiki slugsRobert Schilling2019-01-151-1/+1
| |/ / |/| |
* | | Merge branch '9070-refactor-specs' into 'master'Stan Hu2019-01-111-207/+111
|\ \ \ | |_|/ |/| | | | | | | | Refactor epics/issues API specs See merge request gitlab-org/gitlab-ce!24302
| * | Refactor epics/issues API specsDouglas Barbosa Alexandre2019-01-101-207/+111
| | | | | | | | | | | | Refactor the epics/issues API specs to remove code duplication.
* | | Merge branch '56110-cluster-kubernetes-api-500-error-on-post-request' into ↵Kamil Trzciński2019-01-111-0/+17
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'master' Improves restriction of multiple Kubernetes clusters via API Closes #56110 See merge request gitlab-org/gitlab-ce!24251
| * | | Restrict multiple clusters through APIMayra Cabrera2019-01-101-0/+17
| |/ / | | | | | | | | | | | | | | | | | | | | | Modifies authorize! method to accept a third param, and then use it in combination with 'add_cluster' policy to appropriately restrict adding multiple clusters Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56110
* | | Remove releases_page feature flagShinya Maeda2019-01-112-119/+0
|/ / | | | | | | | | | | We introduced releases_page feature flag. Given this feature is deemed stable, we should remove this flag before 19th.
* | Fix files/blob api endpoint content dispositionFrancisco Javier López2019-01-102-4/+6
| |
* | Disable audit event logging for pipeline destructionStan Hu2019-01-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | AuditEventService isn't equipped to handle logging of the destruction of entities such as CI pipelines. It's a project-level event that operates on a pipeline. The current log doesn't even indicate that the pipeline is being destroyed. This is a CE backport of https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9105. We're removing the auditing call because it breaks the EE implementation.
* | Merge branch 'sh-switch-rack-request-to-actionpack' into 'master'Robert Speicher2019-01-091-2/+2
|\ \ | | | | | | | | | | | | Switch use of Rack::Request to ActionDispatch::Request See merge request gitlab-org/gitlab-ce!24199
| * | Switch use of Rack::Request to ActionDispatch::RequestStan Hu2019-01-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As mentioned in https://gitlab.com/gitlab-org/gitlab-ee/issues/9035#note_129093444, Rails 5 switched ActionDispatch::Request so that it no longer inherits Rack::Request directly. A middleware that uses Rack::Request to read the environment may see stale request parameters if another middleware modifies the environment via ActionDispatch::Request. To be safe, we should be using ActionDispatch::Request everywhere.
View Lorry Controller Status