- 08 Dec, 2016 5 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Sean McGivern authored
Make the `downtime_check` task happy See merge request !7845 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. Closes #24537 See merge request !7615 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 07 Dec, 2016 1 commit
-
-
Douwe Maan authored
Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested ### MR lookup from project - [x]💣 app/finders/notes_finder.rb:17 - [x]⚠ app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x]💣 app/controllers/concerns/creates_commit.rb:84 - [x]🚥 app/controllers/projects/commits_controller.rb:24 - [x]🚥 app/controllers/projects/compare_controller.rb:56 - [x]🚦 app/controllers/projects/discussions_controller.rb:29 - [x]✅ app/controllers/projects/todos_controller.rb:27 - [x]🚦 app/models/commit.rb:268 - [x]✅ lib/gitlab/search_results.rb:71 ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033
-
- 02 Dec, 2016 1 commit
-
-
Alejandro Rodríguez authored
-
- 28 Nov, 2016 1 commit
-
-
Alejandro Rodríguez authored
-
- 25 Nov, 2016 4 commits
-
-
Robert Speicher authored
Update grape-entity to 0.6.0 See merge request !7491 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
The `repository_access_level` attribute doesn't exist in the 8-12-stable branch so repository access cannot be restricted using this feature. Fortunately we use `can?(user, :download_code, ref_project)` in lib/banzai/reference_parser/commit_parser.rb and lib/banzai/reference_parser/commit_range_parser.rb and this permission already exists in 8-12-stable (it only depends on the project `visibility_access`). Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Honour issue and merge request visibility in their respective finders This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private". Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481 See merge request !2000
-
Douwe Maan authored
disable markdown in comments when referencing disabled features fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548 This MR prevents the following references when tool is disabled: - issues - snippets - commits - when repo is disabled - commit range - when repo is disabled - milestones This MR does not prevent references to repository files, since they are just markdown links and don't leak information. See merge request !2011 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 24 Nov, 2016 10 commits
-
-
Alejandro Rodríguez authored
This reverts commit 5614d724.
-
Alejandro Rodríguez authored
This reverts commit 311b59d9.
-
Alejandro Rodríguez authored
-
Douwe Maan authored
Honour issue and merge request visibility in their respective finders This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private". Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481 See merge request !2000
-
Douwe Maan authored
disable markdown in comments when referencing disabled features fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548 This MR prevents the following references when tool is disabled: - issues - snippets - commits - when repo is disabled - commit range - when repo is disabled - milestones This MR does not prevent references to repository files, since they are just markdown links and don't leak information. See merge request !2011 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x]🚦 app/finders/notes_finder.rb:15 [`visible_to_user`] - [x]🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x]✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x]✅ lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x]✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x]✅ lib/gitlab/search_results.rb:53 [`visible_to_user`] - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031 Signed-off-by: Rémy Coutable <remy@rymai.me> -
Douwe Maan authored
Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested - [x]✅ app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x]🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] - [x]✅ app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 Signed-off-by: Rémy Coutable <remy@rymai.me> -
Douwe Maan authored
Fix information disclosure in `Projects::BlobController#update` It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that. - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) https://gitlab.com/gitlab-org/gitlab-ce/issues/22869 See merge request !2023 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 09 Nov, 2016 2 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Stan Hu authored
-
- 08 Nov, 2016 1 commit
-
-
Douwe Maan authored
Fix for HackerOne XSS vulnerability in markdown This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153 See merge request !2015 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 03 Nov, 2016 1 commit
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 02 Nov, 2016 1 commit
-
-
Robert Speicher authored
-
- 01 Nov, 2016 3 commits
-
-
James Lopez authored
-
James Lopez authored
-
Douwe Maan authored
Use Hash rocket syntax to fix cycle analytics under Ruby 2.1 Refers to #23510 See merge request !6977
-
- 17 Oct, 2016 10 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Fix Safari displaying NaN for selected due date ## What does this MR do? 1. Stops using `Date.parse` to parse selected due dates. 2. Refactors DueDateSelectors to be more maintainable and readable ## Are there points in the code the reviewer needs to double check? **To review the actual fix, look here:** https://gitlab.com/gitlab-org/gitlab-ce/commit/4ad43ac3a12902d7ea01dc09f8a361b01c21a0ee. It would be difficult to pick out from the overall diff. ## Why was this MR needed? In Safari, the due date selector was displaying 'NaN' when a date is selected, which was being returned by `Date.parse`. Because `Date.parse` is implemented differently across browsers it's generally recommended to favor implicit Date parsing with the `Date` constructor. For more background on this, [see MDN on Date.parse](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/Date/parse). Also, the code for DueDateSelector was pretty messy, and its logic was very tightly coupled, so I refactored it. None of the basic logic changed, I just broke it up into smaller pieces and made it more OO. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22984 See merge request !6797 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Stan Hu authored
Fix broken rspec in compare text !6910 changed the filter text from "Filter by branch/tag" to "Filter by Git revision" See merge request !6926
-
Dmitriy Zaporozhets authored
Fix 500 error when creating mileston from group page Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/23378 See merge request !6920
-
Stan Hu authored
Fix broken Spinach tests caused by changes in !6550 !6550 added dropdowns for the branch "from" and "to" fields, but these Spinach tests were not updated accordingly. Partial fix to #23378 See merge request !6910
-
Rémy Coutable authored
Handle case where deployment ref no longer exists ## What does this MR do? In 8.9, we didn't create keep-around refs for deployments. So it's possible that someone created a deployment (say, for testing), and then deleted the branch and all other references to that commit. That commit could then get GCed, and trying to view MRs on 8.11+ will show a 500. See https://gitlab.com/gitlab-org/gitlab-ce/issues/22655#note_16575020 for more details. ## Why was this MR needed? If someone created a deployment on 8.9, then deleted all references to the commit for that deployment, we will throw an exception when checking if the deployment includes a commit. Closes #22655. See merge request !6855 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Loads GFM once for per page ## What does this MR do? Currently the GFM init code is included every time there is a GFM form on the page. This changes that & only includes in once if any number of GFM forms are on the page. ## What are the relevant issue numbers? #22827 See merge request !6840 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Merge branch '23234-deleting-a-milestone-removes-source-branch-deletion-options-of-associated-merge-requests' into 'master' Maintain "force_remove_source_branch" options on Merge Request unless specified Fixes a problem where Merge Requests were losing the state associated with the flag to remove the source branch upon merge * Closes #23234 * Closes #23191 * Closes #19351 See merge request !6817 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix JS bug with select2 because of missing `data-field` attribute in select box. Fixes #23193 See merge request !6812 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Fatih Acet authored
Prevent flash alert text from being obscured when container is fluid Fixes [a regression](https://gitlab.com/gitlab-org/gitlab-ce/commit/a2af7790) that causes the text within server-initiated flash *alerts* (not flash *notices*) to be obscured when `.container-fluid` is applied. It was reported in relation to a cherry-picking flash alert, but the problem occurs with all server-initiated flash alerts contained by a fluid container. Note that as part of this fix, I combined some duplicate code and removed `.flash-text` & `.content-wrapper` selectors as they didn't seem to be necessary. I manually tested JS-initiated Flash alerts to make sure this doesn't affect their appearance. I also grepped around for anything else that might depend on these styles. Everything checked out. But... can *you* see something this is going to break? Affected users can't read flash alerts. https://gitlab.com/gitlab-org/gitlab-ce/issues/22915 See merge request !6694 Signed-off-by: Rémy Coutable <remy@rymai.me>
-